The severity of network vulnerabilities is alarming, and organisations are becoming overwhelmed. In 2019, a total of 17,313 new vulnerabilities were disclosed—this means that security teams had to deal with 47 new vulnerabilities every day. As modern networks become more nimble, diverse, and big, the attack surface becomes more expansive and fierce.
Irrespective of how large your organisation or war chest is, you will never have enough resources to remediate every vulnerability across your cyberattack surface. We are dealing with more vulnerabilities today than ever before. It is imperative for security teams to understand vulnerabilities in context and effectively utilise that data to make informed decisions. Given limited time and resources, prioritisation is necessary.
Traditional IT can’t withstand the threats of today. With the advent of cloud computing, the modern attack surface has expanded. While legacy infrastructure is designed to scan for vulnerabilities in traditional IT environments, risk-based vulnerability management helps security teams put vulnerabilities in context and focus on the issues that pose the greatest risk to the organisation.
LEGACY PRIORITISATION METHODS ARE INEFFECTUAL
Employing methods such as the Common Vulnerability Scoring System (CVSS) to prioritise vulnerabilities for remediation has become somewhat ineffective in an age when the sheer number of vulnerabilities has tripled. According to Carnegie Mellon University, “CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability.”
The CVSS is an ineffective method for remediating vulnerabilities. Its metric table indicates that High Vulnerabilities have a CVSS Score of 7 or higher, and Critical Vulnerabilities have a CVSS Score of 9 or higher. According to research by Tenable, 56% of vulnerabilities are assigned a CVSS score of 7 or higher. This means that for every 150,000 disclosed vulnerabilities, security teams must remediate 84,000. Given that most large organisations have numerous vulnerabilities to address, CVSS is ineffective.
CVSS AS A POOR INDICATOR OF ACTUAL RISK
It is widely recognised in the industry that the CVSS method is risk-agnostic. Most CVSS scores are assigned within fifteen days of the vulnerability’s discovery, and they reflect risk from a theoretical perspective on how dangerous a vulnerability could be. This means that security teams end up chasing the wrong issues and also waste their time in the process. Focusing on the wrong issues could pose significant risks, as many critical vulnerabilities remain unaddressed.
USING DATA SCIENCE TO PREDICT VULNERABILITY OUTCOMES
It has been widely asserted for about a decade that data is the new oil. The ability to derive actionable insights from datasets is a worthwhile process that turns data into decisions. Given the large volume and scale of vulnerabilities today, employing machine learning-based technologies will help automate the process. The model will take into consideration past threat patterns, CVSS data, exploit code, and past threat sources, among other factors, and will output a risk-based score, thereby enabling organisations’ security teams to focus on what’s truly important and mission-critical.