Get a demo

Prioritizing Risk with Vulcan Remediation Orchestration

Rhett | June 05, 2019

By this point, we’re all well aware of the torrents of vulnerabilities out there and the pressure that they impose on CISOs and security teams. That’s why incorporating automation methodologies into the vulnerability remediation processes has become key to handling the current threat landscape safely and consistently. And not just for efficiency’s sake. As Larry Baincul argues, “Criminals are all automated and the only way for companies to counter that is to be automated as well.”

Automation is at the heart of Vulcan Cyber’s platform because we believe that by means of this, security teams can drive remediation forward and scale their vulnerability remediation process across infrastructures, applications, and code, minimizing their cyber risk.

However, when it comes to remediation, automation won’t stick by itself; it has to be combined with prioritization of vulnerabilities as well: if you’re not choosing the right targets, speed and consistency won’t be enough to keep your network safe. So how does the Vulcan platform prioritize vulnerabilities?

Beyond CVSS Scores

Instead of relying on “objective” metrics, such as raw CVSS score to prioritize vulnerabilities, Vulcan promotes a subjective approach to vulnerability prioritization, seeing that the impact of any one vulnerability will differ according to the environment.

That being said, companies tend to over-rely the Common Vulnerability Scoring System (CVSS) as the basis for prioritizing vulnerabilities. At first, this might sound reasonable: a neutral body assigning a numerical value (0-10, with 10 being the highest) to each vulnerability on the basis of the damage it could cause.

There are several problems with this approach, the most important of which is that a CVSS score is often “mistreat[ed ..] as risk assessment” according to Art Manion, co-author of a Carnegie Mellon study on CVSS scores. Although a potential threat might be deemed “critical” or “severe”, other less technically severe threats may actually be more exploitable and thus pose a greater risk. Instead of relying solely on CVSS scores, Vulcan Cyber uses them as one input to determine which vulnerabilities pose a greater threat to a company’s network.

Thus, Vulcan prioritizes vulnerabilities according to the specific threat that they pose to your environment. In order to assess this risk, the Vulcan platform identifies and tracks four key metrics; security data, business data, asset data, and threat intelligence.

Security Data

Vulcan’s platform integrates with the existing tools used by the enterprise, such as Qualys, Rapid7, SourceClear and Whitesource (to name a few) via APIs. It harnesses the data gathered to create a clear picture of all the vulnerabilities in the system and a full view of the coverage in the system as well.

Business Data

Vulcan believes that business operations must play an integral role in the prioritization process. Since different assets hold different functions in every system, they cannot all be painted with the same brush. In fact, it is crucial to draw distinctions between them if you want to prioritize wisely. It goes without saying that vulnerabilities that pose a threat to assets of high business importance should feature further up the list and be dealt with sooner rather than later. By connecting to CMDBs, Vulcan’s mechanism takes into account the level of business risk in its prioritization algorithm, and when combined with Vulcan’s asset criticality feature, CISOs can rest assured that their priorities are in line with the rest of the company’s.

Asset Data

Vulcan provides a clear view of your company’s assets, integrating across inventories, deployment tools, and asset management tools. Thus, gaining an in-depth understanding of the asset configurations, security posture, and status. Having such information at hand has great benefits when it comes to prioritization. For example, if a vulnerability with a high CVSS score is discovered, but it is only exploitable via USB, a company whose assets sit in the cloud would not be affected by this. Thus, as a result of the asset data input, this vulnerability would not be prioritized as high as it would have if based on CVSS score alone. This may sound straightforward, but many companies waste valuable time trying to fix vulnerabilities that don’t pose a threat to their specific assets.

Threat Intelligence

Since vulnerabilities don’t exist in a vacuum, it’s crucial to understand their status in the wild. Vulcan’s prioritization methodology is powered by Threat Intelligence: by connecting to dozens of threat intelligence feeds, Vulcan is able to associate whether known IOCs are being used to compromise specific vulnerabilities. These results would alter the desired course of action, and as such would alter the prioritization of the vulnerabilities in the network.

All these metrics exist within a single pane of glass, tied to your existing infrastructure for you to review, understand, prioritize and most importantly lead you to the right data-driven action.

Bringing It All Back Home

The way in which Vulcan prioritizes vulnerabilities is substantiated through rigorous and varied data sourcing and saves security teams more than just time. Vulcan’s prioritization mechanism functions according to each specific environment leading to highly targeted, accurate and efficient responses and solutions. After all, if your priorities are not straight, you cannot be certain that you are taking the right course of action at the right time. Prioritizing is key to managing the floods of threats arriving at your door each day. Vulcan’s platform strategically synthesizes a wide cross-section of data including security, business, asset, and threat, to achieve the strongest possible outlook of incoming threats of which to prioritize. This way you can rest assured that you are dealing with the right threat at the right time.

If you would like to learn more about Vulcan why not schedule a demonstration?

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy