Predictive Prioritization Focusing On What Matters First Elena - - PowerPoint PPT Presentation

Elena Sergeeva

Security Engineer

Predictive Prioritization Focusing On What Matters First

VULNERABILITY MANAGEMENT TODAY

Vulnerability Management In Brief

Assess – Legacy and Modern Assets Remediate – Intelligent Prioritization Manage – Measure

A R M A R M

March 2019

TH THE M MODERN RN A ATTACK S CK SURF URFACE CE

Server Desktop Network infrastructure ICS/SCADA Web app Mobile Laptop Enterprise IoT Virtual machine Cloud Container

IT Cloud IoT

Industrial IoT

Predictive Prioritization

5

6

THE THREE KEY QUESTIONS

A

Where are we exposed?

Where should we prioritize based on risk?

R

How are we reducing exposure over time?

M

BARRIERS

Ponemon Institute, Dec 2018

IF EVERYTHING IS IMPORTANT – NOTHING IS

8

59% High or Critical

Vulnerability Intelligence Report Tenable Research

Number of Vulnerabilities During the Past Decade

894 1020 1677 2156 1527 2451 4935 6610 6520 5632 5736 4652 4155 5297 5191 7946 6484 6447 14714 16555 2000 4000 6000 8000 10000 12000 14000 16000 18000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Vulnerabilities Discovered Each Year

16,500 Vulnerabilities disclosed in 2018 Vulnerability Intelligence Report | Tenable Research

7%

• f vulnerabilities had

an exploit available

63%

• f vulnerabilities

discovered in environments are CVSS 7+

12%

• f vulnerabilities

disclosed in 2017 were CVSS 9+

* Gartner Market Guide for Vulnerability Assessment, Craig Lawson, Prateek Bhajanka, June 19, 2018

Number of Vulnerabilities During the Past Decade

FOCUS ON WHAT MATTERS FIRST

12

Threat Intelligence

Insight into which vulnerabilities are actively being exploited by both targeted and

• pportunistic threat actors.

Vulnerability Rating

The criticality, ease of exploit and attack vectors associated with the flaw.

Research Insights

Data science based analysis of over 100,000 vulnerabilities to differentiate between the real and theoretical risks vulnerabilities pose

≈95%

Reduction in vulnerabilities to be remediated with the same impact to the attack surface

PRIORITIZATION

PREDICTIVE

Examples

• CVE Age
• Days Since NVD Last

Modified

• Number of References
• CVSS v3 Base Score
• CVSS v3 Exploitability

Score

• CVSS v3 Impact Score
• Total Affected Software
• Distinct days with cyber

exploits

• Days since last cyber

exploit

• Total cyber exploit

events

• Days since first cyber

exploit

• Days since last cyber

attack

• Days since last

ExploitDB entry

• Days since first

ExploitDB entry

• Total ExploitDB

entries

Vulnerability Priority Rating – 70 days prior to CVSS score Linux Kernel Flaw

Top Five Vulnerabilities in 2018

CVSSv2 Score

(Acccording to NVD)

CVSSv3 Score

(Acccording to NVD)

Tenable

(Vulnerability Priority Rating)

CVE-2018-8174

7.6 7.5 9.9

CVE-2018-4878

7.5 9.8 9.5

CVE-2017-11882

9.3 7.8 9.9

CVE-2017-8750

7.6 7.5 9.4

CVE-2017-0199

9.3 7.8 9.9

Extracted from the Recorded Future Report “Top Ten Vulnerabilities of 2018” 03/19/19

WE FIND THE NEEDLES

3%

Vulnerability Priority Rating

• How many vulnerabilities do you

deal with every month?

• Do you patch every vulnerability?
• What does that cost your
• rganization?
• How do you prioritize?
• Do you use threat intelligence?
• Could staff be more efficient?

17

KEY QUESTIONS

• If you have limited resources and budget,

focus on vulnerabilities that are actually leveraged in attacks

• Leverage threat intel to identify “urgent”

and update your security policy to support remediating these ASAP

• Continue to work through less urgent

remediation work and update policy to support updated SLAs

18

SUGGESTIONS

Thank You