Predictive Vulnerability Prioritization Focusing on What Matters First
Predictive Vulnerability Prioritization Focusing on What Matters First Ryan Bragg Channel Sales Engineer
Questions Are you involved in vulnerability detection or remediation? Do you (try to) patch every vulnerability? Do you use threat intelligence to prioritize vulnerabilities? What are your biggest challenges in vulnerability remediation? Visibility? Volume? Prioritization?
The massive Wanna. Cry outbreak caused an estimated $1 billion in damage costs in just its first four days, according to Stu Sjouwerman, CEO at Know. Be 4. CSO Online: https: //www. csoonline. com/article/3197582/ransomware-damages -rise-15 x-in-2 -years-to-hit-5 -billion-in-2017. html Source: Bank Info Security Website
Foundational Barriers
Focus determines success
The Visibility Barrier
Creating a Cyber Exposure Gap
Process Barriers Ponemon Institute, Dec 2018
Not Asking the Right Questions ? ? Where are we exposed? Where should we prioritize based on risk? How are we reducing exposure over time? How do we compare?
Volume & Prioritization Barriers
Vulnerability Trends Gartner Market Guide for Vulnerability Assessment, Craig Lawson, Prateek Bhajanka, June 19, 2018
The Severity Problem 17, 000 Vulnerabilities Disclosed in 2018 7 % of vulnerabilities had an exploit available 60% of vulnerabilities discovered in environments are CVSS 7+ 12 % of vulnerabilities disclosed in 2017 were CVSS 9+
CVSSv 3 COMPOUNDS PRIORITIZATION CHALLENGE For 2017 & 2018 CVSSv 2: 31% Vulns are High Severity CVSSv 3: 60% of Vulns are High or Critical Severity Vulnerability Intelligence Report Tenable Research
Vulnerability Management by Severity
CVSS — Shortcomings “CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability. ” TOWARDS IMPROVING CVSS SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY December 2018
TOP 10 VULNERABILITIES USED BY CYBERCRIMINALS IN 2018 Of the top 10 Only 4 have a CVSS Score > 9. 0 March 19, 2019 CVE CVSSv 2 Score CVE-2018 -8174 7. 6 CVE-2018 -4878 7. 5 CVE-2017 -11882 9. 3 CVE-2017 -8750 7. 6 CVE-2017 -0199 9. 3 CVE-2016 -0189 7. 6 CVE-2017 -8570 9. 3 CVE-2018 -8373 7. 6 CVE-2012 -0158 9. 3 CVE-2015 -1805 7. 2
Attacks on New Vulnerabilities Attackers have an average of 7 day head start from Time to Exploit Availability against the Time to Assess Source: Tenable Research Report – “Quantifying the Attackers First Move Advantage”
What Should We Do?
Predictive Prioritization Reducing the Burden- Dramatically Research Insights Data science based analysis of over 109, 000 vulnerabilities to differentiate between the real and theoretical risks vulnerabilities pose Threat Intelligence Insight into which vulnerabilities are actively being exploited by both targeted and opportunistic threat actors. Vulnerability Rating The criticality, ease of exploit and attack vectors associated with the flaw. PREDICTIV E PRIORITIZATIO 19 N 97% Reduction in vulnerabilities to be remediated with the same impact to the attack surface
A Data Science Approach: Understanding the Model 150 different aspects in 7 feature groups ▪ Past threat pattern ▪ CVSS ▪ NVD ▪ ▪ Past hostility Vulnerable software Exploit code Past threat source • Forecast probability of exploit in near term future • Updated daily
Some of What is in the Model • • • CVE Age No. Words in NVD Description Days Since NVD Last Modified Number of References CVSS v 3 Base Score CVSS v 3 Exploitability Score CVSS v 3 Impact Score Total Affected Software CWE • • • Distinct days with cyber exploits Days since last cyber exploit Total cyber exploit events Days since first cyber exploit Days since last cyber attack • • • Days since last Exploit. DB entry Days since first Exploit. DB entry Days since last Metasploit entry Total Exploit. DB entries Total Metasploit entries
Terminology • Predictive Prioritization: The process of re-prioritizing vulnerabilities based on the probability that they will be leveraged in an attack. • Vulnerability Priority Rating (VPR): The output of the Predictive Prioritization process. VPR is the number that indicates the remediation priority (0 through 10, with 10 being the highest severity) of an individual vulnerability.
Prioritization Is Critical High Medium Risk-Driven Scoring Medium Low CVSSv 3 Vulnerability Priority Rating (risk-based)
We Find the Needles 3% Vulnerability Priority Rating
VPR INSIGHT - 70 DAYS PRIOR TO CVSS SCORE VPR CVSS Linux Kernel Flaw
Top Five Vulnerabilities in 2018 CVSSv 2 Score CVSSv 3 Score Tenable (Acccording to NVD) (Vulnerability Priority Rating) CVE-2018 -8174 7. 6 7. 5 9. 9 CVE-2018 -4878 7. 5 9. 8 9. 5 CVE-2017 -11882 9. 3 7. 8 9. 9 CVE-2017 -8750 7. 6 7. 5 9. 4 CVE-2017 -0199 9. 3 7. 8 9. 9 Extracted from the Recorded Future Report “Top Ten Vulnerabilities of 2018” 03/19/19
Takeaways for Success! Focus first on vulnerabilities that are actually leveraged in attacks Update your security policy to support expedited remediation of “high risk” vulnerabilities Continue to work through less urgent remediation work and update policy to support updated SLAs
Thank You
- Slides: 28