Patch where it Hurts: Effective Vulnerability Management in 2023

Jan 12, 2023The Hacker NewsVulnerability Management

A recently published Security Navigator^[1]
report data shows that businesses are still taking 215 days to
patch a reported vulnerability. Even for critical vulnerabilities,
it generally takes more than 6 months to patch.

Good vulnerability management is not about being fast enough in
patching all potential breaches. It’s about focusing on the real
risk using vulnerability prioritization to correct the most
significant flaws and reduce the company’s attack surface the most.
Company data and threat intelligence need to be correlated and
automated. This is essential to enable internal teams focus their
remediation efforts. Suitable technologies can take the shape of a
global Vulnerability Intelligence Platform. Such a platform can
help to prioritize vulnerabilities using a risk score and let
companies focus on their real organizational risk.

Getting Started

Three facts to have in mind before establishing an effective
vulnerability management program:

1. The number of discovered vulnerabilities increases every
year. An average of 50 new vulnerabilities are discovered every day
so we can easily understand that it’s impossible to patch them
all.

2. Only some vulnerabilities are actively exploited and
represent a very high risk to all organizations. Around 6% of all
vulnerabilities are ever exploited in the wild[43]: we need to
reduce the burden and focus on the real risk.

3. The same vulnerability can have a completely different impact
on the business and on the infrastructure of two distinct
companies, so both the business exposure and the severity of the
vulnerability need to be considered. Based on these facts we
understand that there is no point in patching every vulnerability.
Instead, we should focus on those that pose a real risk based on
the threat landscape and the organizational context

The concept of risk-based vulnerability
management

The objective is to focus on the most critical assets and the
assets having a higher risk to be targeted by threat actors. To
approach a risk-based vulnerability management program we need to
consider two environments.

The internal environment

The Clients’ landscape represents the internal environment.
Companies’ networks are growing and diversifying and so is their
attack surface. The attack surface represents all components of the
information system which can be reached by hackers. Having a clear
and up-to-date view of your information system and of your attack
surface is the very first step. It is also important to consider
the business context. In effect, companies can be a greater target
depending on their business sector due to specific data and
documents they possess (intellectual property, classified
defense…). The last key element to consider is the unique context
of the company, individually. The objective is to classify assets
according to their criticality and to highlight the most important
ones. For instance: assets that if not available would cause an
important disruption to business continuity, or highly confidential
assets that if accessible would make the organization liable to
multiple lawsuits.

The external environment

The threat landscape represents the external environment. This
data isn’t accessible from the internal network. Organizations need
to have the human and financial resources to find and manage this
information. Alternatively, this activity can be externalized to
professionals who will monitor the threat landscape on the
organization’s behalf.

Knowing the vulnerabilities which are actively exploited is a
must since they represent a higher risk for a company. These
actively exploited vulnerabilities can be followed thanks to threat
intelligence capabilities combined with vulnerability data. To have
the most efficient results, it’s even better to multiply the threat
intelligence sources and correlate them. Understanding attacker
activity is also valuable since it helps anticipating potential
threats. For instance: intelligence concerning a new zero-day or a
new ransomware attack can be actioned on a timely basis, to prevent
a security incident.

Combining and understanding both environments will help
organizations define their real risk, and pin-point more
efficiently where preventative and remediation actions should be
deployed. There is no need to apply hundreds of patches but rather
ten of them, selected ones, that will drastically reduce an
organization’s attack surface.

Five key steps to implement a risk-based vulnerability
management program

1. Identification: Identify all your assets to
   discover your attack surface: a discovery scan can help having a
   first overview. Then launch regular scans on your internal and
   external environments and share the results to the Vulnerability
   Intelligence Platform.
2. Contextualization: configure your business
   context as well as the criticality of your assets in the
   Vulnerability Intelligence Platform. The scanning results will then
   be contextualized with a specific risk scoring per asset.
3. Enrichment: The scan results need to be
   enriched using additional sources provided by the Vulnerability
   Intelligence Platform, such as threat intelligence and attacker
   activity that will help to prioritize considering the threat
   landscape.
4. Remediation: Thanks to the risk scoring given
   per vulnerability, which can be matched with threat intelligence
   criteria like “easily exploitable”, “exploited in wild” or “widely
   exploited” for instance, prioritizing remediation effectively is
   much easier.
5. Evaluation: Monitor and measure the progress
   of your vulnerability management program using KPIs and customized
   dashboards and reports. It’s a continuous improvement process!

This is a story from the trenches found in the 2023 Security Navigator report.^[2] More on vulnerabilities
and other interesting stuff including malware analysis and cyber
extortion, as well as tons of facts and figures on the security
landscape, can be found in the full report. You can download the
120+ page report for free on the Orange Cyberdefense website. So
have a look, it’s worth it!

Note: This informative story was expertly crafted by
Melanie Pilpre, product manager at Orange Cyberdefense.