What You Need to Know About Prioritizing Vulnerabilities

Sisyphus, a famous king from Greek mythology, was known for being crafty. He cleverly used deceit and trickery to twice cheat death.

Zeus and the rest of the gods, however, were not amused. They decided to punish Sisyphus by forcing him to roll a boulder up a hill. Every time Sisyphus neared the top, the boulder would roll back down. Sisyphus was doomed to repeat this endless boulder-rolling for all of eternity, coming so close to completing his task, but never quite getting there.

Vulnerability management teams can certainly empathize with poor Sisyphus. Managing vulnerabilities is a task that never ends, a race that cannot be won. The sheer number of vulnerabilities and the complexity of this Sisyphean task is overwhelming. Instead of perfection, VM teams must work to reduce the attack surface and manage risk.

In other words, they have to prioritize.

Unfortunately, too many teams are failing badly at vulnerability prioritization.

Vulnerabilities Keep Growing — Are You Keeping Pace?

The number of vulnerabilities is increasing at a dizzying pace. A report from Tenable shows that annual growth in vulnerabilities often exceeds 50%. Meanwhile, the Ponemon Institute has compiled research showing that fewer than one-third of organizations have enough insight into their attack surface to effectively deter adversaries.

Prioritizing vulnerabilities is the key to effective attack surface reduction. To do so, organizations must consider more than the severity of a vulnerability. They must consider the criticality of an asset and the potential impact of an exposure being exploited. If you have a vulnerability that is relatively easy to exploit but offers no real risk to critical assets, then it makes sense to de-prioritize it in favor of a vulnerability that is hard to exploit but would place an organization at great risk should this occur.

Given the deluge of vulnerabilities that VM teams must cope with, they rely on tools to help with prioritizing vulnerability remediation. Vulnerability scanners that rely on CVSS for severity scoring are widely used, but they only provide one part of the picture, as they lack key risk context.

Risk-based vulnerability management (RBVM) products go a step further and incorporate threat intelligence by showing how vulnerabilities have been exploited in the real world. This helps provide a window into the likelihood of a particular vulnerability leading to a successful attack.

However, the full picture still remains elusive. Another technology,¬†breach and attack simulation¬†(BAS) software, by taking a broader perspective that includes an organization’s security controls and protections. A conventional BAS platform works by launching automated simulated attacks on security environments. These simulated attacks identify vulnerabilities and show how they could be exploited. Thus more risk context is given, and it becomes possible to gain deeper insight into the attack surface and understand the risk associated with specific vulnerabilities. BAS platforms then offer prioritized remediation guidance.

Yet even an advanced BAS platform is not the gold standard for effectively managing vulnerabilities and understanding risk. For that, you need attack path management¬†— and that’s what XM Cyber offers.

The XM Cyber Difference

XM Cyber offers the first true attack path management platform. Using risk-centric threat modeling, XM Cyber eliminates 99% of the risk to business-sensitive systems by focusing on the 1% of exposures that can actually be exploited. In other words, in a massive, roiling ocean of constant threats, we can identify the specific waves that pose the most critical and pressing risk to your crown jewel assets.

VM products using CVSS as a sole metric and RBVM platforms are missing critical attack context and do not provide a full picture of risk. They are also incapable of providing continuous prioritization and remediation of critical exposures.

Conventional BAS products are focused on identifying the symptoms rather than the cure. They often do not test prevention systems like PAM or excessive file permissions and are limited to products using signatures of basic heuristics for detection and response.

Only XM Cyber continuously identifies new exposures and attack vectors, provides risk centric threat modeling, prioritizes cyber-risk for critical systems and provides context-sensitive, least-effort remediation options, thanks to our attack graph analysis technology.

The Takeaway

Vulnerability management may always be a Sisyphean task, but the right supporting products can make the job infinitely less challenging. Instead of mightily struggling to roll your boulder up the hill, gripped by fear that it could come crashing back down on you at any time, why not use a tool that makes that boulder much lighter and easier to move?

You’ll still have to keep heading up the hill — but with your exertions lessened and fear of failure dissipated — you might actually start to enjoy the view.

Marcus Gilban is Director of Marketing Communications at XM Cyber