New Google vulnerability: Learn about zero-day CVE-2022-3075 in Chorme web browser  | Fix now >> 

The CyberRisk Summit on-demand: Watch the latest #CRS anytime, anywhere | Watch now  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Perspectives

In large friendly letters - making sense of cyber vulnerabilities

All those tools and scanners mean that organizations are faced with a mountain of cyber vulnerabilities. Making sense of that data can often seem an insurmountable challenge - smart prioritization according to business context is key. Here's how your organization can make sense of it all.

Mike Parkin | April 14, 2022

There is a well-known travel guide that is popular, in part, because it has “Don’t Panic” embossed conspicuously on the cover. In the world of cybersecurity, where new vulnerabilities and new attacks are announced on an almost daily basis, it’s a phrase we should take to heart. While we need to be aware of evolving cyber vulnerabilities and how they impinge on our threat surface, panic is never the best course. 

Practitioners know this, of course. We know the vulnerability statistics are all over the map and that a high risk score on a CVE doesn’t always translate to massive exploits in the wild. At the same time, we know that a low risk score doesn’t mean we can ignore it. Whether a given vulnerability will be exploited in the wild, and how widespread that exploitation will run, can be hard to guess just from reading a CVE announcement. The uncertainty makes it hard to predict which vulnerability will become the next Big Thing™. 

This isn’t to say that we shouldn’t care about every CVE that applies to a system in our environment. But with limited resources to implement patches and mitigations, we need to focus on the ones that will give us the most benefit. If our process allows us to execute a whole collection of patches at once, great. But often there are more patches and mitigations than we can handle with the resources we have, which means we need a way to effectively and efficiently prioritize. 

When there’s a serious vulnerability that’s being widely exploited, it’s easy to push it to the top of the stack. It takes priority.   

Don’t panic. Just fix. 

That’s what we have processes for. But what about all the vulnerabilities that are known but don’t have any known exploits in the wild? What about the ones that are being exploited, but don’t appear to pose much risk for your environment? How do you prioritize? We should take care of them all, and we will, eventually, maybe. 

This is where a cyber risk management tool comes into play.   

Your device management tools can give you an inventory and automate the distribution of patches and, possibly, even workarounds that can mitigate a vulnerability. But they don’t necessarily give you any insight into which ones take priority. They may also miss dependencies in a production environment, where patching one library means your own DevOps team needs to update code that relied on that library. Potential problems like that are why change management and test environments exist.   

Vulnerability scanners can show you which systems need to be patched or protected, but they rarely let you know which cyber vulnerabilities are the priority in your specific environment. While relying exclusively on CVSS scores works, it doesn’t give the full picture. A threat intelligence feed can help with that by giving insights into what’s happening in the wild, it also doesn’t address your specific environment. 

Add in the challenge of siloed responsibilities, and it becomes more complex. One team is in charge of cybersecurity, while another manages the network, a third manages the endpoints and servers, and fourth deals with developing and maintaining internal and external applications. Even when they cooperate, it can be hard to coordinate and communicate across the teams. 

Your basic risk management tool starts by percolating the most important issues to the top of the stack. But that’s not enough.  To be effective, your risk management system should be percolating up the issues that are most important in your environment. As mentioned, reporting a high risk in the CVE score doesn’t mean it automatically needs to be your top priority. Likewise, a lower score doesn’t mean we can put it off, because in your environment that vulnerability may be a lot more important than it is to anyone else. 

Additionally, the best tools will help you coordinate across teams. Silos can be an obstacle to getting the most important fixes and mitigations deployed in a timely manner, and your ideal risk management tool will cross those silos to get the right information, about the right assets, with the right fixes, to the right people. 

A tool like Vulcan Cyber lets you do that.   

So when the next high-risk CVE crops up you can skip the panic stage and go right to getting the issue prioritized, communicated, and fixed.