Security teams deal with many operational activities on a daily basis that are time-sensitive in nature. One such key activity is vulnerability management. Every year, security researchers around the world report thousands of new vulnerabilities that are labeled and archived under the Common Vulnerabilities and Exposures (CVE) system. In 2019 alone, 20,362 new vulnerabilities were identified, marking an increase of 17.6% over the previous year.
Vulnerabilities in critical software or hardware systems can become the entry point for cybercriminals to build their malicious exploits. Therefore, it becomes imperative for security teams to fill gaps in their systems at a rapid pace to stay ahead of the attackers. However, not all vulnerabilities pose an equal amount of risk to an organization at a particular moment in time. To avoid overwhelming their resources, security teams need to prioritize the vulnerability management process using the right contextual information. This is where threat intelligence plays an important role by allowing security teams to adopt a smarter risk-based approach instead of trying to patch everything.
An in-depth analysis of the vulnerability management process published by Gartner last year provides several key considerations including:
Despite the large number of vulnerabilities reported every year, only a small percentage of them are actually exploited by attackers. Thus, a vulnerability is only as dangerous as the threat exploiting it.
Vulnerability rating systems such as the Common Vulnerability Scoring System (CVSS) do not take into account what threat actors are exploiting in the wild. So, a high vulnerability rating is simply not enough to prioritize the patching of a flaw.
The vulnerability management process must account for the value of different assets, the severity of vulnerabilities, threat actor activity, and the availability of exploits.
According to Gartner, the average time taken from the discovery to the exploitation of a security vulnerability has gone down from 45 days to 15 days over the last decade. Thus, time is of the essence as threat actors keep increasing the pace of exploitation.
Evaluating Risk With Threat Intelligence
A study conducted by the Ponemon Institute in 2019 revealed that over 60 percent of the breaches reported in the year could have been prevented by applying existing security patches. This often occurs due to a disconnect between vulnerability patching processes and real-world threats. Threat intelligence helps address this by enabling a risk-based approach to take the focus away from the sheer number of reported vulnerabilities to the issues that actually need to be addressed first.
Vulnerability patching can often become a time-consuming process that interrupts business operations. At times, patching may even be delayed in favor of business continuity. To avoid such circumstances, organizations need to ensure that vulnerability management is connected to real imminent risks. By bringing threat intelligence into the foray, organizations can approach the issue through a smarter lens of risk-based analysis of vulnerabilities.
To assess the true risk from a security vulnerability, security teams need to leverage the information from internal vulnerability scanning tools, external intelligence from different sources, and gain an understanding of the threat actor behavior.
Tactical threat intelligence provides key insights into the weaponization of vulnerabilities through different malware or exploits. It shows what objectives the threat actors want to achieve at every stage of the attack lifecycle and what techniques they use to achieve it. By understanding the attackers’ tactics and techniques, security teams can evaluate the risk posed to specific internal systems, thereby also helping identify the vulnerabilities that need to be prioritized first.
On top of this, security teams must also consider contextual factors such as the industry in which their organization operates, the geographic location, and business functions. With threat intel insights from known attack campaigns, security teams can create their own internal risk-based scoring system to prioritize vulnerabilities. The CTIX threat intelligence platform allows security teams to customize indicator scoring which makes it easier to be notified of and prioritize the vulnerabilities that are most relevant to a specific organization. This can allow them to set the appropriate parameters for ranking vulnerabilities based on their unique threat environment. Thus, it helps establish a much more reliable long-term process for vulnerability management. The CFTR fusion and threat response platform takes this one step further and enables
users to create a single database of vulnerabilities for tracking, mitigation, and correlation with malware, threat actors, assets, and incidents to proactively neutralizing any opportunities for their exploitation.
Threat intelligence helps security teams identify the most critical vulnerabilities, create optimal mitigation strategies, and communicate risk with security managers, executives, and other business functions. By helping correlate security vulnerabilities with real-world risks, it helps make vulnerability management more streamlined and efficient.