Let's first understand the prioritization of vulnerabilities.
Traditionally, organizations have used the industry standard CVSS for measuring how easy it is to exploit a vulnerability and how damaging the exploit can be. Scores range from 0 to 10, with 10 being the most severe. CVSS is a great starting point for evaluating the potential impact of a vulnerability.
Unfortunately, almost two-thirds (61%) of the vulnerabilities that enterprises find in their environments have a CVSS (version 3/3.1) score of “critical” or “high,” according to the Vulnerability Intelligence Report from Tenable Research. Even, Cisco conducted a study on this topic and found that the average base score increased from 6.5 in CVSSv2 to 7.4 in CVSSv3. This means that the average vulnerability increased in qualitative severity from “Medium” to “High.” The same study concluded that far more vulnerabilities increased in severity than decreased.
Therefore, CVSS does not help identify the vulnerabilities requiring the most urgent attention – nor was it intended to do so. This leaves organizations with a mountain of vulnerabilities and insufficient context to prioritize them.
This situation is alike a situation in a healthcare context. It is like prioritizing healthcare research on an ultra-rare but severe disease, above research on slightly less severe but much more common diseases. Without understanding how widespread and actively spreading each disease is, health organizations might focus primarily on the first disease, even though others are much more likely to spread and could still be fatal. This would likely be a misallocation of resources.
The same is true for cybersecurity teams who should take a risk-based approach to managing vulnerabilities within the context of 
THEIR business environment.
THEIR business environment.-
According to a report from the National Vulnerability Database (NVD): companies detected 16,500 vulnerabilities in 2018.
-
17,313 new vulnerabilities were disclosed in 2019 – and CVSS categorized the majority as high or critical.
With vulnerabilities on the rise, how can you identify the biggest threats to your business – and know what to fix first?This is where Tenable's Predictive Prioritization comes into picture.
What is Predictive Prioritization?
The number of vulnerabilities has nearly doubled in the past two years. But the number of vulnerabilities being exploited is only a small fraction of the total. Predictive Prioritization enables you to zero in on remediating the vulnerabilities that matter most.
Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat data and analyzes them together with the advanced data science algorithm developed by Tenable Research. Each vulnerability now receives a Vulnerability Priority Rating (VPR) that incorporates the result of this analysis, which is updated on a DAILY basis including vulnerabilities that are yet to be published in the National Vulnerability Database (NVD).
a DAILY basis including vulnerabilities that are yet to be published in the National Vulnerability Database (NVD).How Predictive Prioritization works
Predictive Prioritization starts with the Vulnerability Priority Rating (VPR), which uses a point scale of 0 to 10, just like CVSS. However, VPR enables organizations to focus on the vulnerabilities that:
• Are most likely to be exploited
• Will have a major impact on the asset, if exploited
Predictive Prioritization combines data from various sources powered by machine learning and predictive analytics, including our familiar CVSS scores.
However Predictive Prioritization delivers a more relevant and timely view of vulnerability priority than CVSS, by replacing the CVSS exploitability and exploit code maturity components with a THREAT SCORE produced by real-time threat intelligence and machine learning, as shown in the above graphic.
THREAT SCORE produced by real-time threat intelligence and machine learning, as shown in the above graphic.How this THREAT SCORE is arrived at?
This threat score is powered by a diverse set of data sources, each of which is weighted based on its predictive capability. The threat model analyzes 150+ distinct vulnerability characteristics in seven categories, including:
-
Past threat pattern
-
Past threat source
-
Vulnerability metrics
-
Vulnerability metadata
-
Past hostility
-
Affected vendor
-
Exploit availability (using threat intelligence data)
Tenable ingests data from an ever-growing list of threat intelligence sources. An automated process analyzes all the raw data on each vulnerability – including its age, availability of exploits and exploit kits, presence in ExploitDB and Metasploit, and whether it’s being actively discussed on the dark web, in forums and/or on social media, etc.
Finally, multiple predictive, machine learning models work together to produce the threat score. These models use historical data to understand the relationship between the input features and the likelihood of threat activity, and thus can predict future threat activity.With these dynamic models, vulnerabilities are scored daily, which means the score on any given day represents the real-time threat risk as the threat landscape changes. Additionally, the models build on the existing CVSS framework to produce a single score that reflects threat intelligence, exploit code maturity, and vulnerability characteristics – providing a complete view of the threat. But all this is done by Tenable for you.
On the top of this, there is one optional (paid) service/feature which allows you to automatically assign risk value to each and every asset you have.
-
Guys, what are your thoughts or opinions about this approach of vulnerabilities prioritization?
Kindly leave me your views in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM