Aggregator
Leveraging CRQ to Understand Ransomware Costs | Kovrr
Turning Data into Action: Intelligence-Driven Vulnerability Management
Turning Data into Action: Intelligence-Driven Vulnerability Management
Prioritizing vulnerabilities with context has always been a challenge for vulnerability management teams – and this task isn’t getting easier as published CVEs continue to grow. To remedy this, many enterprises are forced to invest in products and services to protect their environments with various intelligence data and tools. In this blog, we explain how Tenable Vulnerability Intelligence and Exposure Response help organizations to make data-driven decisions to better prioritize and operationalize their programs.
Vulnerability management presents a seemingly insurmountable obstacle for organizations: How to deal with a massive and rapidly growing number of published Common Vulnerabilities and Exposures (CVEs). As an organization that has been focused on vulnerability management from the beginning, Tenable also grapples with this issue but with an added complication: because of our broad customer base, we need to cover as many CVEs in as many products as possible while maintaining risk context, accuracy and reliability.
The solution isn’t to try to check for every possible combination of CVEs and affected products. We have to prioritize the most critical vulnerabilities with accurate and targeted context. To make these decisions quickly and precisely, Tenable leverages a vast, searchable database of vulnerability information from both external sources and from Tenable Research. This is the same data source that drives a new capability in the Tenable Vulnerability Management product called Vulnerability Intelligence, which is aimed at helping customers better operationalize their vulnerability management programs and make quick data-driven prioritization decisions.
It’s bad and getting worseWe’re only halfway through 2024, and we’re well on pace to exceed 30,000 published CVEs this year. Further complicating matters, we’re seeing more and more CVEs in underlying components, frameworks, and language libraries. This means organizations aren’t fixing a single application but rather tracking down and fixing every application that leverages the impacted vulnerable component.
Leveraging Vulnerability Intelligence to build prioritization strategiesAt Tenable, beyond our everyday efforts to provide up-to-date vulnerability coverage for releases of major products, we are constantly on the lookout for the next major vulnerability to ensure we can respond as quickly as possible. Leveraging the contextual data from Vulnerability Intelligence is critical to ensuring we can make informed decisions quickly. Additionally, with the significant backlog that the National Vulnerability Database (NVD) is facing, our Vulnerability Intelligence dataset has allowed us to keep up to date with the latest vulnerabilities and risks as we are not tied to a single data source.
Opening up Vulnerability Intelligence brings you to a set of hexagons that represent risk categories of vulnerabilities that we want to highlight as having the highest level of threats. While not exclusively the decision criteria used, the categories in Vulnerability Intelligence are based on data points that feed into the Tenable Vulnerability Database which drives our risk rating decisions.
Categories include:
- Emerging Threats is a set of vulnerabilities that are being actively monitored by our Security Response team and often have a direct path from that team to the development of plugins to cover those vulnerabilities, particularly those in the Vulnerabilities of Interest and Vulnerabilities of Concern category.
- VPR gives our teams a numerical score to quickly input and sort on, though as with any score, understanding the context behind it is critical.
- Ransomware highlights vulnerabilities associated with this type of attack, particularly in major enterprise applications as those can lead to attacks that are particularly dangerous for any organizations.
As can be seen in the screenshot above, focusing on any of these target categories can significantly reduce the numbers of CVEs to focus on. Contrasted against the about 250,000 CVEs that have been published, the numbers above become far more manageable and speak to real risk, as opposed to the severity scores that come from leveraging CVSS metrics.
Turning data into a prioritization strategyMany organizations are still building operations around basic prioritization metrics - whether it’s targeting specific products, CVSS scores or proprietary mandates. Often this is because of a need to adhere to a specific compliance standard, or simply because of a need to have something that can be measured. While tracking and measuring against a simple CVSS score or severity can be straightforward, it does not provide a lot of context and it is not a strategy that has a demonstrable impact on risk.
That’s where the new Exposure Response capability in Tenable Vulnerability Management also helps us. Exposure Response enables teams to develop vulnerability management strategies that are measurable and reflect real world risk. One of the most important tools in any VM program is the ability to track performance. Unfortunately, most graphs end up looking like a flatline because the number of new vulnerabilities coming in ends up canceling out the number of vulnerabilities that get remediated on an ongoing basis. By having more focused targets, it is possible to truly measure performance over time and set achievable SLA targets.
The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog (KEV) has become a valuable and popular resource that brings focus to a particular set of vulnerabilities which have evidence of exploitation in the wild. While the KEV is not comprehensive, the risk associated with these particular CVEs, and the attention many organizations pay to the KEV, has made it one of several benchmarks our Tenable Research teams use for tracking vulnerability coverage. Using Exposure Response, vulnerability management teams can similarly create a trackable CISA KEV-based initiative to benchmark their remediation efforts against. As mentioned previously, SLAs and benchmarks are critical for any remediation strategy. We strive to have coverage for KEV vulnerabilities as quickly as possible, ideally before they hit the KEV but, if not, often within hours of publication to the KEV.
Exposure Response provides the exact tools needed to put these sorts of measurements into place. Given the visibility and risk associated with the KEV, it may make sense to set an SLA of just a few days and aim for maintaining a benchmark of >90% of findings remediated. The key is ensuring that the strategies that are put in place are measurable and achievable.
Unlike the 250,000 CVEs that have been published, to date there are only 1,134 CVEs in the CISA KEV catalog. With only a handful of CVEs added to the KEV each month, this is an impactful set of CVEs that teams can actually measure performance against.
ConclusionPrioritization and operationalization of vulnerabilities has long been a major challenge for vulnerability management teams. The sheer number of vulnerabilities published year after year means that teams simply can’t keep up and the lack of easy-to-access context means that prioritization is often either a guessing game, a massive amount of work, or a limited effort that falls short, such as focusing only on CVSS severities. Tenable Vulnerability Management introduced Vulnerability Intelligence with all the context needed in one place and Exposure Response to operationalize the targeted and measurable vulnerability management workflow.
Learn moreThreat Actor Claiming Breach of Gregory’s Foods 400Gb Database
A threat actor has claimed responsibility for breaching Gregory’s Foods, a well-known supplier of frozen bread, bun, and cookie doughs, among other bakery products. The announcement was made on a dark web forum, where the alleged hacker stated that a 400GB database file from Gregory’s Foods is now up for sale. This breach has raised […]
The post Threat Actor Claiming Breach of Gregory’s Foods 400Gb Database appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
Beware Of Fake AI Editor Website That Steals Your Login Credentials
Hackers often make use of fake AI editor websites for several illicit purposes with malicious intent. Among their prime activities are deceiving users into providing personal information, downloading malware, making payments for fraudulent services, and many more. Recently, cybersecurity researchers at Trend Micro identified a sophisticated malvertising campaign that targeted social media users through a […]
The post Beware Of Fake AI Editor Website That Steals Your Login Credentials appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
Replacement for Action Fraud, UK’s cybercrime reporting service, delayed again until 2025
Le telecomunicazioni sono i bersagli principali dei cyberattacchi
Keytronic incurred approximately $17 million of expenses following ransomware attack
Keytronic incurred approximately $17 million of expenses following ransomware attack
Закат uBlock Origin: популярный блокировщик рекламы переходит на Manifest V3
CrowdStrike trying to use legal threats to suppress criticism and parody of global IT outage
Keep Your Data Safe with This PII Compliance Checklist
Ryan Pentney reflects on 10 years of Talos and his many roles from the Sourcefire days
How Long Does a DDoS Attack Last?
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2018-0824 Microsoft COM for Windows Deserialization of Untrusted Data Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.