As suggested by vulndb and cve, on a daily basis, approximately 50 new vulnerabilities become known to industry and even if an organization considers the impact rate of 10%, it’s still very challenging to manage it effectively and it’s safe to assume that count is going to increase furthermore. So with this amount organization is focusing (or should focus) on reducing the risk rather than eliminating it.
In current era, vulnerability management is (almost) equal to risk prioritisation because
- Resources (skillset and time) is limited in every organisation
- Environment is changing too fast and too frequently (ROI is less in analysis and remediation of a vulnerability if affected asset is not going to be live for a longer time - small attack surface)
- Attack surface is increasing exponentially in diversity (which again comes down to prioritisation)
- Remember the 80/20 rule - 20% of vulnerabilities bring 80% of risk
So what is risk? How do we calculate it? What are the factors contributing to risk?
- CVSS (historically used) - No
- Asset Criticality - No
- Asset Accessibility - No
- Exploit Applicability - No
- Exploit Availability - No
- Ease of Exploitation - No
- Attack Surface - No
- All of the Above - Yes
Theoretically, the above approach looks appropriate to adopt but practically it’s not possible to do it manually for every vulnerability affecting every asset by every organisation.
To overcome the above challenges I have prepared an open-source framework, vPrioritizer, which gives us ability to assess the risk on different layers such as (and hence comprehensive control on granularity of each component of risk):
- We can assign significance on per asset basis
- We can assess severity on per vulnerability basis
- At the same time, we can adjust both factors at asset & vulnerability relationship level
- On top of that, community analytics provides insights as suggested risk
This framework enables us to understand the contextualized risk pertaining to each asset by each vulnerability across the organization. It’s community based analytics provides a suggested risk for each vulnerability identified by vulnerability scanners and further strengthens risk prioritization process. So at any point of time teams can make an effective and more informed decision, based on unified and standardized data, about what (vulnerability/ties) they should remediate (or can afford not to) on which (asset/s).