CASHING IN
The problems are complex and wide ranging
For those less familiar , vulnerability management is the practice of continuously discovering , classifying , prioritising and responding to software , hardware and network vulnerabilities . However , the problems with vulnerability management are complex and wide ranging , from technology to policy and governance . With the modern enterprise evolving to become more technologically distributed and cloudaligned , the challenge is becoming even more multifaceted .
I say this because end-to-end visibility into an organisation ’ s technology stack is becoming harder to achieve , with shadow-IT only exacerbating issues . Limited resources result in cybersecurity maintenance tasks that are never completed . Additionally , the scope and impact of software supply chain risk is only just starting to become properly understood by those outside the software development industry .
Unfortunately , those that are responsible for patching and fixing software
Chris Jacob , Global Vice President , Threat Intelligence Engineers , ThreatQuotient
vulnerabilities are rarely involved in the technology selection process , leading to a lack of learning and improvement in technology selection choices . Layer onto this the escalating compliance landscape , and it is easy to see how overwhelming the task is . As a result , it is simply impossible to patch and mitigate every software vulnerability present in an enterprise network .
Historically , organisations would prioritise mitigation based on limited and inward-facing data , such as server versus workstation , an employee ’ s role , asset criticality , vulnerability score and patch availability . But despite this level of prioritisation , patching remains a time-consuming task . This approach also has limited effectiveness because it doesn ’ t consider knowledge of how that vulnerability is actively being exploited in the wild , and the risks associated by those adversaries leveraging it , to a company ’ s specific environment .
Not all assets are created equal
Most companies focus more on the consequences and severity of a vulnerability versus the likelihood they may be impacted . Of course both are important , but if you focus too much on severity and consequence , you may not see the complete picture . CVSS scores , for example , focus mainly on severity , with global values for likelihood that are assumed valid for all organisations – this is a mistaken assumption . Yes , a vulnerability may be critical and of highest severity , but this vulnerability is more or less relevant to your own organisation because of the threats that target it . This is where custom likelihood comes in . Understanding your own likelihood is critical for prioritisation and triage .
The modern enterprise has a new wealth of internal and external data to make more data-informed choices regarding actions to take , and the threats to respond to . While exposure is an important input into the risk equation , it only really has relevance once certain elements of the vulnerability lifecycle are hit .
For example : What is the cost for adversaries to develop exploitation tools for the vulnerability , or is it now available within the existing off-the-shelf attack tool sets ? This is one of the largest influencers of likelihood of it targeting the masses . Does exploitation of the vulnerability result in a situation that fits into the threat actor ’ s
30 www . intelligentfin . tech