The importance of relying on scoring such as the Vulnerability Risk Rating
With 214.2K vulnerabilities detected by the NDV, the benchmark database for vulnerability management, IT teams surveyed by our partner Ivanti complained of complexity (71 percent) and lack of time (45 percent) in following up on remediation efforts.
The NDV, which in turn is fed by the CVE (Common Vulnerabilities and Exposure) lists with information on remediation, severity scores and impact assessments, is one of the common bases used by companies for risk management, together with the CWE (Common Weakness Enumeration).
But most cases of detected vulnerabilities do not have a threat associated with discovery. If we go to look at a RiskSense report from 2021, we see that of these 214 thousand vulnerabilities, about 25 thousand of them are weaponized, 6 thousand have the possibility of remote code execution or privilege escalation, 243 are related to ransomware but only 158 of them are related to an active exploitation trend.
To improve vulnerability remediation strategies, it is not enough to know the impact of a vulnerability on business systems, but also to determine the likelihood that it will be exploited.
Only in this way is it possible to prioritize vulnerability management in a consistent manner: the traditional approach, which operates in a massive manner, would risk prioritizing the existing vulnerabilities that do not represent an immediate danger to the environment at the expense of others, far more dangerous ones.
Indeed, the threat evolution environment is changing rapidly: how many lesser-known vulnerabilities have suddenly become the target of exploits, even as a result of the weaponization of politically motivated hacker groups?
Take CVE-2017-0144, for example. This vulnerability is associated with ransomware and it is part of WannaCry, which infected over 200 thousand devices in 100 countries worldwide in 2017. It ranks in the CWE Top 40 and the OWASP (Open Web Application Security Project) Top10 with a base score of High 8.1. Its high profile and exploit threat would require reclassification to Critical 10 for immediate action.
A risk-based approach would increase the precision of remediation efforts: gathering information and assessing the active risk associated with the vulnerability would enable proper prioritization.
We have said that intelligence and prioritization are key to staying one step ahead and keeping risk at a manageable level for the organization.
But we need effective assessment indicators that can fill the gaps in "official" databases and measure risk proactively and dynamically in real time.
To provide additional context in calculating risk, we rely on VRR (Vulnerability Risk Rating), a proprietary algorithm from our partner Ivanti that accurately determines the probability of risk.
In the image alongside, you can see the difference in vulnerability detection between CVSS v3 and VRR: there are obvious inconsistencies in the numbers of critical and high vulnerabilities that could lead you to overlook real threats in protecting your environments.
We will explore the importance of a risk-based approach to vulnerability management and how VRR works in the webinar "Let's Prioritize Risk" scheduled for Oct. 27th.
We will see in particular how to create a dynamic information base e and properly associate it with risk management in order to take quick action, even with the support of automation.