Read this interesting blog post on Threat-Centric vulnerability management by Ravid Circus at SC Magazine.  Please note the “proper” English!

Why traditional vulnerability management falls short

Most vulnerability management programmes are based on the Common Vulnerability Scoring System (CVSS). This system was developed more than a decade ago and was designed to help organisations prioritise patching. CVSS had intentions of providing “temporal” scores incorporating up–to–date threat intelligence and vendor input, including on available fixes, but this was never fully implemented. CVSS also could not accurately determine “environmental” scores of the potential impacts within an organisation.

I agree.  It is very difficult to operationalize and connect the actual applicable vulnerabilities with exploit data.

So, unfortunately, traditional vulnerability management relies on CVSS base scores of intrinsic properties of the vulnerability. The problem with this score is that vulnerabilities don’t exist in a vacuum. Changes within the threat landscape and within the organisation in which they exist impact the threat a vulnerability poses. Without this larger context, remediation priorities can be skewed, focusing precious resources on relatively low–risk vulnerabilities while leaving those more likely to be used in an attack within reach of threat actors.

A new approach: threat–centric vulnerability management

To stay protected in the era of distributed cyber-crime, organisations need to take their vulnerability management programme to the next level. Threat–centric vulnerability management (TCVM) is a new approach that collects data from a wide range of sources, including threat intelligence; uses modelling and simulation to analyse vulnerabilities within their unique environment and prioritise them accurately; and provides remediation guidance based on available resources.

Not sure if it is new, but merely a progression in maturity.

Internally, TCVM collects data on known vulnerabilities within the organisations, asset information, patch levels and the state of network topology and security controls in place. It builds this data into a model to understand vulnerability exposure, attack paths (including of multi–step attacks), potential business impacts, and remediation options beyond patching, such as rule changes or IPS signatures.

Externally, TCVM correlates this information with CVSS scores and, more importantly, security–analyst verified threat intelligence from dozens of security data feeds and investigations in the dark web. This highlights vulnerabilities with available exploits, such as those with a POC, and those observed to be actively exploited in the wild. It also shows which vulnerabilities are being packaged in distributed crimeware, such as ransomware, exploit kits, etc.

With this complete context, remediation actions can be aligned with the threat level a vulnerability poses — not just a generic CVSS score. Those that are being actively exploited or exposed within the network pose an imminent threat and need to be dealt with immediately. Other vulnerabilities pose a potential threat and can be dealt with over time, but need to be monitored for changes in the threat landscape or network exposure.

Automation and centralisation for intelligent defence

Because of the scale and complexity of data the TCVM approach requires, tasks have to be automated. From data collection to contextual analysis, these processes are essentially impossible to perform manually, especially in an enterprise network. While tools are available for automating each step within the TCVM workflow, there are advantages to efficiency — and ROI — of centralising management on a single platform.

With automation and centralisation, vulnerability management and incident response teams can dedicate even more resources to acting on intelligence rather than gathering and analysing it. The systematic approach of TCVM ensures that actions are informed with the full context surrounding a vulnerability, so organisations can take on attackers proactively and keep their networks secure from the distributed cyber-crime threat.

Yes to automation and centralisation.  Intelligence defence is better than “dumb” defence?

The Takeways

1. Think about how to design and implement a foundation of technology and processes that fosters automation and centralization.

Of course, there is nothing new per se below, but it is a good refresher from the National Law Review website.  I find #6 and #9 really interesting.

1. No, or inadequate, security program in place.
2. No recently conducted vulnerability and risk assessments.
3. No evaluation of weaknesses or gaps in your controls in light of statutory requirements and potential common law claims.
4. No formalized patching process or inadequate enforcement of the current process to ensure its systematic implementation.
5. No insider threat program.
6. Lack of connection to the cybersecurity community
7. Lack of stringent configuration management.
8. Lack of stringent remote access management.
9. Failing to consider available cybersecurity data. .
10. No incident response plan in place

 

The Takeaways

1. Compare your plans in your security program with the above items at a high level
2. If #1 does not exist, fight for and win the budget for completing an IT Security Function Maturity assessment by Deloitte, PwC, E&Y or KPMG