What is vulnerability prioritization?

Vulnerability prioritization is one of the key steps of the vulnerability management process. At any given time, there are many unresolved security issues (“vulnerabilities”) in an organization’s network, and new ones are identified every week. Vulnerability prioritization is deciding which issues need to be fixed now vs issues that can wait for a few days vs those that are just noise.

But there is more to this…

In 2011, Marc Andreesen said the famous words- Software is eating the world. As Marc said then- “Six decades into the computer revolution, four decades since the invention of the microprocessor, and two decades into the rise of the modern Internet, all of the technology required to transform industries through software finally works and can be widely delivered at global scale.”

From the traditional brick-and-mortar companies to modern enterprises, today software is powering almost everything. While the proliferation of software brought unparalleled efficiency and automation to the fore, it also brought in security risks and vulnerabilities. Programmers, just like the rest of us, make mistakes from time to time, and on an average, every few thousand lines of code that is written, inadvertently, a security bug is introduced. Eventually these bugs are found by researchers or the bad guys, and become vulnerabilities.

A quick glance at the National Vulnerability Database dashboard will reveal some startling facts. In 2022 so far 18590 new Common Vulnerabilities and Exposures (CVE) have been received by NVD. These CVEs are not limited to one vendor or one product but these pertain to many prominent vendors and span across a myriad of software products.

With software being almost ubiquitous and running everywhere on every imaginable device, patching software vulnerabilities is a real challenge. If the world were ideal, the enterprise security teams would just identify all the vulnerabilities and apply available patches to them.

In the real world, however, the vulnerability management teams are constantly faced with the questions such as:‘

  • Where do you begin the patching process when you have tens of thousands of vulnerabilities across tens (or even hundreds) of thousands of assets?
  • How do you quantify your exposure, assess business risk, and prioritize patching so that you fix your most critical vulnerabilities first?

To appreciate the challenge faced by vulnerability management teams, imagine this scenario:

You are responsible for protecting your enterprise from cybersecurity threats. In order to achieve your goal- you’re expected to:

  • Know the inventory of assets in your environment,
  • Know the software running on each of the assets,
  • Have knowledge of the known vulnerabilities, and
  • What patches are available to fix those vulnerabilities.

Once that’s done, you need to identify your highest risk exposures so you can patch software applications according to their criticality to the business.

Now let’s say your environment includes 50,000 assets with 100 open known vulnerabilities (CVEs) on each asset, on average. This translates to 5,000,000 vulnerabilities that potentially need to be patched. Clearly, in modern resource constrained security teams, patching everything has become impossible.

What can the vulnerability management teams do in this situation?

The teams need a prioritization strategy that achieves maximum reduction in breach risk for minimum patching effort. The business criticality of assets can range from mission critical to insignificant and everything in-between. The key question is – where do you begin?

This is the problem that vulnerability prioritization addresses.

How to prioritize vulnerabilities?

The key phases of vulnerability management process are:

Vulnerability Management Process
Key phases of vulnerability management process

The outcome of the discovery phase is a comprehensive list of vulnerabilities to be managed. The prioritization phase ensures that the hundreds or thousands of vulnerabilities identified during the discovery phase are effectively prioritized for remediation. This step ensures that your security team isn’t racing to address issues that pose little or no real risk to your business-critical assets. Since not every vulnerability presents the same security risk to operating systems, it’s critical to get context around each vulnerability and the enterprise asset that it affects.

To effectively prioritize the remediation of vulnerabilities, organizations need to adopt a risk-based vulnerability management approach. The key building blocks of this approach are:

  • Asset visibility: Visibility into everything (all assets) on the network or in the environment – managed and unmanaged (BYOD) devices, apps, users, and data.
  • Comprehensive attack vector coverage: Scanning and monitoring across a broad range of attack vectors for each asset.
  • Business context consideration: Prioritizing results based on context – for each asset, this means knowing how critical it is to your business (the value of the asset); how vulnerable it is (the severity of the vulnerability); any existing security controls already in place; and any ongoing global threats.
  • Mitigation recommendations: Guidance on the best approach as you work to mitigate identified vulnerabilities.

With this approach, your organization can first focus on actions that are critical and make smarter decisions to reduce your risk, both strategically and tactically.

Building blocks of vulnerability prioritization

Vulnerability prioritization methods:

  1. Prioritization via CVSS scores alone:

    The Common Vulnerability Scoring System (aka CVSS Scores) provides a numerical (0-10) representation of the severity of an information security vulnerability. CVSS scores are commonly used by infosec teams as part of a vulnerability management program to provide a point of comparison between vulnerabilities, and to prioritize remediation of vulnerabilities.

    A CVSS score is composed of three sets of metrics (Base, Temporal, Environmental), each of which have an underlying scoring component.

    CVSS Score Metrics
    CVSS Score Metrics

    One of the limitations of CVSS metrics is that it represents only the severity of a vulnerability, but does not reflect the risk that the vulnerability poses to your environment. In other words, CVSS answers the question, “Is this dangerous?”, but not, “Is this dangerous to my company?

  2. Prioritization via CISA KEV database:

    The CVSS base score does not account for an important criteria- if the vulnerability is actually being used to attack systems. The experts at CISA have observed that attackers do not rely only on “critical” vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated “high”, “medium”, or even “low”. This methodology, known as “chaining”, uses lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis.

    To this end, the agency has created – and published on CISA.gov – a living catalog of known exploited vulnerabilities (CISA KEV) that carry significant risk. The directive also establishes a more aggressive turnaround time for government agencies to remediate each CVE. As of Sept 27 2022, the CISA KEV catalog stands at 834 vulnerabilities and rapidly expands each month.

    While this approach gives a narrow list of vulnerabilities to focus on, it is not sufficient to help ensure comprehensive coverage and cyber risk reduction.

  3. Prioritization based on business context:

    Balbix recommends a holistic approach to prioritization that takes into account the business context of the assets while taking into account the war-time or peace-time vulnerability management considerations.

    In peace-time, security teams are focused on burning down high volumes of important vulnerabilities and closing security gaps quickly and efficiently.

    In war-time, the attention turns to urgently identifying and deploying patches or quick mitigations to fix critical vulnerabilities before attackers can cause serious damage to the organization.

    In both situations, speed is of the essence. But, because peace-time and war-time are very different in terms of the challenges, constraints and goals, security teams require distinct approaches for each as outlined below-

    1. Managing peace-time with Patch Prioritization:

      Patch Prioritization, a feature of the Balbix platform’s Risk-based Vulnerability Management (RBVM) capabilities, recommends the patches that most efficiently address the maximum number of open CVEs for an application in order for security teams to more effectively reduce risk. With Patch Prioritization, teams can eliminate unnecessary patching and improve their overall cybersecurity risk posture.

      Balbix’s Patch Prioritization makes recommendations by considering overall risk reduction of available patches. This is accomplished by accounting for the number of vulnerabilities, severity of vulnerabilities, threat data for the vulnerabilities under consideration, and business impact of assets while minimizing the number of patches that need to be applied for a given product.

    2. Managing war-time with CVE Prioritization:

      During war-time, critical vulnerabilities can arise out of nowhere. It can be stressful and time-consuming to deploy emergency patches, and security teams often lack the resources and visibility needed to quickly identify, triage and resolve the vulnerabilities in a timely manner.

      Balbix’s CVE Prioritization capabilities enables real-time prioritization of CVEs not just by CVE severity and threat level, but also by software vendor, category and many other factors. Cybersecurity professionals can scope the list of open vulnerabilities of concern in the enterprise using a wide variety of filters such as operational and business tags, threat levels, threat names and threat categories (e.g. ransomware, ongoing exploits, available exploit code etc.) and use this information to drive an efficient remediation strategy.

    In summary, Peace-time and war-time are very different in terms of challenges, constraints and goals, which means that security teams require distinct approaches for each. Balbix’s RBVM solution, and two unique features in particular – Patch Prioritization and CVE Prioritization – can help security teams work more efficiently in each situation. And with Balbix maximally automating your workflow, you won’t need an army!

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility