So many vulnerabilities – so little time. When you run a vulnerability scanner against your environment you’re guaranteed to get more work than you can accomplish. That’s nothing new in security. There’s always more alerts and anomalies on your SIEM dashboard than you can investigate. There’s always more security technologies than you can implement.
In each case it’s the same answer – triage. Work on the biggest risks. Prioritize. And measure your efforts vs performance over time so that you can refine your process. Here’s a great example of how NOT to evaluate your work: “We remediated 12,822 vulnerabilities last month.” That’s a big number but what if that was just the “Allow anonymous SID/Name translation is not set to Disabled" on 12k workstations? Whereas your credit card authorization gateway server has an unpatched buffer overflow vulnerability exposed to your entire global network including business partner networks? By the numbers it’s 1 vulnerability compared to 12,000. But in terms of real risk it’s totally reversed.
So, your criterial for prioritizing vulnerabilities is perhaps more important than any other aspect of your vulnerability management process.
In this real training for free event we will focus on how to determine the real risk of each discovered vulnerabilities so that you can:
- Fix the risks that matter most first
- Produce a more accurate portrayal of risk posture
- Provide more accurate reporting to management in terms of
- Current risk posture
- Value/performance of remediation efforts
- Risk reduction/increase overtime
Here are some of the vulnerability risk factors we will delve into:
- Vulnerability age
- When discovered?
- When exploit details published?
- How long patch available?
- When first used in attacks?
- How difficult to exploit?
- Proof-of-concept code available?
- Shrink-wrapped tools available?
- What are the pre-requisites?
- Actively being used in attacks?
And it’s not all about the vulnerability; it’s equally about the system in question
- How critical is the asset?
- Type of information
- Part of critical infrastructure
- Critical business process
- How do the pre-requisites of the vulnerability compare to the system’s configuration, role network exposure, attack surface?
- Systems that can access critical systems
Finally, time is of the essence. Vulnerabilities change over time. They may begin with a vendor releasing a patch without any exploit details being public and no known attacks. Then it commonly progresses to the security researchers who discovered the vulnerability releasing exploit details once a patch is available. Then pen-testing and hacker tools begin to appear that exploit the vulnerability. Each of these events increases the exploitability of the vulnerability and hence it’s general risk.
Justin Prince and Nathan Palanov from our sponsor, Rapid 7, will finish up this session by showing you how InsightVM takes into account all these factors to help you divide and conquer the vulnerabilities on your network in the most efficient way possible while focusing on the real risk.
Please join us for this real training for free session.