Enterprises of all sizes are inundated with more vulnerabilities than their teams can ever hope to remediate, so they need a way to prioritize which to fix first. Unfortunately, most use the common vulnerability scoring system (CVSS) to accomplish this task, adopting a strategy to fix all vulnerabilities that are scored seven or above, eight or above, or even just those with a score of 10.
But there are some inherent problems with CVSS. First, it’s a static scoring method. Most CVEs receive a CVSS score within a few weeks of their discovery, before any exploits are written against them, so they’re scored based on the initial assessment of their potential to be exploited, and then rarely—if ever—updated. Another major issue with CVSS is that it lacks any degree of context. That is, the scores are developed based on the code, itself, and its potential for being exploited. No consideration is given to the prevalence of the vulnerability in actual network environments, the volume of exploits, or any other contextual information required for the security analyst to truly understand the level of risk.
If the initial assessment of a particular CVE determines that it’s a low risk, it’s assigned a correspondingly low CVSS score. Even if months later dozens of exploits are published against it, and some of those exploits even lead to hundreds of successful security events, the CVSS score will remain at its initial low level.
Many vulnerability risk management vendors claim to deliver vulnerability scoring in their tools, but they’re really just taking the CVSS score and passing it off as their own. Some even try to mask this fact by changing the scale (e.g., 1-5 instead of 1-10), but they’re really just taking the score and applying a multiplier to fit into their scale (in the case of the 1-5 scale example, they simply divide the CVSS score by 2 and round up). So in reality, these scores suffer from the same inherent problems as the CVSS scores and therefore deliver limited value for security teams trying to prioritize remediation of the vulnerabilities that pose the most risk to their environment.
A Better Way
The Kenna Security Platform leverages Cyber Risk Context Technology to look outside the organization to analyze and understand the volume and velocity of attacker activity by continuously assessing security data from more than 15 threat and exploit intelligence feeds, and then combining that data with extensive internal data sources to provide the context required to determine which vulnerabilities to remediate first. And most importantly, the model is updated every 30 minutes, 24 hours a day, 7 days a week. So when the threat landscape changes, so do your risk scores.
Employing machine learning and data science, Cyber Risk Context Technology ingests, aggregates, and processes tens of billions of pieces of data, from more than 55 sources, and then automates the analysis of this data using a proven data science algorithm to understand what attackers are doing in real time and evaluate which vulnerabilities are most likely to pose a threat to the organization’s specific environment.
How It Works
Working from left to right in this diagram, the Kenna Security Platform uses Cyber Risk Context Technology to assess your internal security data, including vulnerability and asset information. It then analyzes Kenna’s database to identify the top five percent of all vulnerabilities that have been exploited over the past six months and compare them with your vulnerabilities to determine which are most likely to be exploited.
In addition to your internal security data, it also ingests threat and exploit information from more than 15 threat intelligence feeds to understand attacker activity in real time. This is done to understand what attackers are doing, how they’re doing it, and the tools they’re using to exploit vulnerabilities in the wild. It then assesses this information through the lens of volume and velocity to determine which attacks pose the most urgent threat.
Next, all of the security data from the internal and the external sources are correlated to determine the relevant consideration set for your organization. After all, you don’t care about exploits that affect vulnerabilities that aren’t present in your environment; and you can deprioritize any vulnerabilities that don’t pose any immediate risk.
The ensuing data sets are then run through a proven data science algorithm to accurately assess the specific, quantifiable level of risk for every vulnerability. The algorithm includes numerous data science models and predictive technologies, including natural language processing to investigate social media sites, the dark web, and other places where vulnerabilities are being discussed and extract the language associated with vulnerabilities to determine whether or not an exploit will be developed. The data is then analyzed using a number of predictive technologies, including support-vector machines (SVM), random forest, logistic regression, and vulnerability inference.
Kenna uses the results of these analyses to deliver an accurate, quantifiable risk score for every vulnerability, asset, and group of assets across your entire environment. The risk score takes into account the number of instances of each vulnerability in the environment, the potential severity, and the assets that are threatened as a result of each vulnerability.
Finally, the Remediation Intelligence Engine determines which vulnerabilities pose the greatest risk to the organization and whose remediation will have the maximum impact on risk score reduction. It then clearly identifies which vulnerabilities should be remediated first and articulates the specific impact each action will have on your organization’s risk posture.
This way, your security teams will know with certainty which specific remediation actions will reduce the greatest amount of risk for each asset group.
By delivering a dynamic scoring method that considers a comprehensive set of internal and external data sources to provide full context into the specific amount of risk for every vulnerability, Kenna helps security and IT teams effectively prioritize remediation efforts based on what will reduce the most risk—maximizing the effectiveness of your vulnerability management program while making the most efficient use of your limited resources.
To learn more about how to better target your remediation efforts, read the Cyber Risk Context Technology Solution Brief.