Correlate more data on vulnerabilities with real risks

To address the growing diversity of cyber threats, many organizations currently rely on metrics from third-party sources that associate them with a scale of risks.  This process can lack the context to understand and truly reduce the risks specific to each individual organization. 

However, with so many categories of security vulnerabilities, how do you know which ones to prioritize? Trying to address them all is not only practically impossible but can divert resources from addressing those that pose the greatest risk to the organization in question. 

The strategy of focusing on the most critical vulnerabilities on an individual basis seems like the soundest one, but it’s not necessarily being followed as it should be. A recent Vulcan Cyber survey showed that IT security teams are not doing enough to correlate vulnerability data with real business risks, leaving organizations exposed.

“While IT security teams work hard to defend their organizations, it is clear that threat intelligence and traditional metrics like vulnerability severity scores are unable to generate the business-specific insights needed to ensure comprehensive protection. These teams need the insights, processes, and tools to prioritize the risks that matter most to the business,” highlights Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. The survey revealed that 86% of respondents rely on third-party data on risk severity to prioritize how they will address vulnerabilities and that another 70% also use third-party threat intelligence.  

The study identified that most respondents group vulnerabilities by infrastructure (64%), by business function (53%), and by application (53%). Risk prioritization associated solely with infrastructure and application groups is not relevant without taking into account asset context, Vulcan Cyber highlights. 

Cybersecurity fields use different models to rank and prioritize security flaws. Some 71% of respondents said they use the Common Vulnerability Scoring System (CVSS), a free and open industry standard that assesses the severity of vulnerabilities. Another 59% use the OWASP Top 10 standard, while 47% rely on scanning solutions, 38% rely on the CWE Top 25 and 22% rely on the Bespoke scoring model. Some 77% of respondents revealed that they use at least two of these models to score and prioritize vulnerabilities.

The survey revealed that these methods are proving insufficient and that there is a general misalignment between vulnerability prioritization practices currently in use by organizations. For 78% of respondents, highly prioritized vulnerabilities should be ranked lower, while 69% also stated that vulnerabilities in lower positions should be ranked higher. Over 80% of respondents agree that they would benefit from greater flexibility to prioritize vulnerabilities based on their specific risk environment.

“Security teams need more control to have more precision in scoring, prioritizing, and mitigating cyber risks. Risk-based vulnerability management practices lack a common framework, which limits the ability to collaborate on cybersecurity and effectively reduce risk. As a result, cyber protection remains insufficient across most industries, and organizations remain exposed,” highlights Bar-Dayan. 

A large proportion of respondents (54%) reported the greatest concern about the exposure of confidential data as a result of application vulnerabilities, followed by problematic authentication (44%), incorrect security settings (39%), insufficient logging (logging), and monitoring (35%).  

Vulcan Cyber has listed some free open source tools that can help with cyber risk assessment and mitigation: 

1. Application scanners 

Static Application Security Testing (SAST): Follows coding guidelines and standards without executing code. Compares application code to known vulnerability libraries and reports on weaknesses that need to be addressed. Some of the best free SAST tools are Bandit, NodeJsScan, and SonarQube.

Dynamic Application Security Testing (DAST): Runs the application to perform functional tests and detect vulnerabilities. Execution is important because some vulnerabilities only appear when the application is executed. The most popular free DAST tools are Archery, Arachni, and OWASP ZAP.

Dependency Scanner: In the age of distributed architectures, it is important to check for vulnerabilities in third-party code. The three best-known free dependency scanners are OWASP Dependency-Check, Snyk, and WhiteSource Bolt for GitHub.

Runtime Application Self-Protection (RASP): Uses the application itself to continuously monitor its runtime behavior and thus identify and mitigate vulnerabilities without human intervention. Two free RASP tools Sqreen, and Wapiti.

2. Network and infrastructure scanners: Identify vulnerabilities in networks and connected devices, such as unprotected entry and exit points, unknown devices, incorrect security settings, and missing software updates. The best-known tool in this category is OpenVAS, which includes more than 50,000 vulnerability tests, but there are alternatives such as Wireshark, Nmap, Qualys Community Edition, Burp Suite Community Edition, W3af, and Vuls.

3. Prioritization repositories: Rank vulnerabilities according to technical severity. The main sources are Vulcan Free, CVE Details, WPScan Vulnerability Database, CERT-EU, Zero Day Initiative, Vulners, and Rubysec.

4. Remediation tools: Public databases and repositories on vulnerabilities often include vendor recommendations on how to fix them – usually a link to patches. 

5. Automation solutions: Open source tools can be used to automate various aspects of vulnerability remediation, from opening technical calls to automated configuration changes. Some known solutions are Redmine, OpenProject, Rocket.Chat, Comodo ONE Windows Patch Management, Opsi, Patch Manager Plus Free Edition, Foreman, and CFEngine.