Beyond Scanning: How Threat Intelligence Enhances Vulnerability Management
By The Recorded Future Team on May 22, 2018
- Vulnerability scanners are a valuable tool, but they don’t provide the information necessary to prioritize remediation work.
- Many organizations rely completely on scan results, and are routinely left defenseless against serious vulnerabilities.
- Internal data, even when combined with vulnerability databases, is not enough to inform truly risk-based decisions.
- Comprehensive threat intelligence provides the context necessary to take the guesswork out of vulnerability management.
On the face of things, vulnerability management seems simple enough.
First you run a vulnerability scan to identify vulnerable systems. Using the results of the scan, you identify next actions. Next, you complete those actions, which usually involves rolling out patches. Finally, you rescan to ensure your remediation efforts have been successful.
So what’s hard about that? Doesn’t the vulnerability scanner do most of the work?
Yes and no. Many organizations do rely exclusively on a scanner to help them identify and remediate vulnerabilities, but there are a whole range of issues with this approach.
The Trouble With Vulnerability Scanners
Vulnerability scanners are incredibly powerful and valuable tools that can help transform an impossibly manual process into something that can be implemented and maintained by a typical organization.
Unfortunately, they also bring their own set of problems. For instance:
Overwhelm — In a sense, vulnerability scanners can be guilty of being too good at their job. A typical scan can easily identify dozens or even hundreds of potential vulnerabilities to address, without providing a clear picture of which should be addressed first (i.e., those that are most likely to be exploited). This can often lead vulnerability management teams to focus on remediating the greatest number of vulnerabilities, as this makes it easy to track and gauge the performance of the team. Unfortunately, since some vulnerabilities pose vastly greater risk than others, the numbers approach is far from an effective strategy.
Overreliance — When your scans return so many results, it’s natural to assume that all of your existing vulnerabilities have been identified. Unfortunately, that’s just not the case. In fact, 75 percent of all vulnerabilities show up online (if you know where to look) an average of seven days before they’re listed in the NIST National Vulnerability Database (NVD).
So why is this a problem? Quite simply, because most organizations treat their scan results as though they were complete — they don’t pursue any other avenues to identify potential sources of cyber risk. As a result, incomplete scan results leave organizations defenseless against serious vulnerabilities until their next scan.
Lack of Context — Perhaps the greatest issue with vulnerability scanners is that they don’t help organizations understand the significance of any specific vulnerability. For instance, a vulnerability may seem important because it affects business-critical systems, and thus be prioritized ahead of all others. But if that vulnerability is highly unlikely to be exploited, for whatever reason, it could actually be quite insignificant compared to another vulnerability that is being actively abused by a popular exploit kit.
Put another way, vulnerability scanners combine data from only two sources: the organization’s network, and one or more vulnerability databases. By combining this data, a scanner can produce a list of existing vulnerabilities within the network. What scanners don’t do is put the vulnerabilities on that list in the context of the wider threat landscape, which would enable vulnerability management teams to understand the significance of individual vulnerabilities, and prioritize or remediate them accordingly.
It should be noted that while vulnerability scanners have their problems, the question should never be, “What can we use instead?”
Quite the opposite, in fact. To solve the problems laid out above, it’s necessary to use a vulnerability scanner in combination with other valuable sources of data.
And where does that data come from? Threat intelligence.
Threat intelligence helps vulnerability management teams put scan results into the context of their organization’s threat landscape. This enables them to answer questions such as:
- Which vulnerabilities are most exploited in our industry?
- Are any of these vulnerabilities being actively exploited right now?
- Are any of these vulnerabilities included in active exploit kits?
- If exploited, what impact could this vulnerability have?
At the same time, a powerful threat intelligence capability provides updates from a comprehensive range of sources, ensuring there is no time lag between a vulnerability surfacing on the open or dark web and its inclusion in the vulnerability management process.
All of this enables vulnerability management teams to make informed, risk-based decisions about which vulnerabilities need to be addressed, and with what level of urgency.
Threat Intelligence Throughout the Security Function
The security function is fueled by decision making.
For example, vulnerability management teams must decide which vulnerabilities to tackle, and in what order. Incident response teams must decide how to tackle each new incident. Security operations centers (SOCs) need to identify which alerts are important, which are false positives, and how to behave as a result. CISOs make make decisions every day that affect the overall security profile of their organization.
In many cases, these security disciplines are forced to make decisions using only internal data. As we’ve already seen, this can cause huge problems, as internal data lacks the vital context of the wider threat landscape.
The true value of threat intelligence is simple — it enables professionals across the security function to make faster, better, risk-based decisions.
To find out how threat intelligence can empower the full spectrum of security professionals, and specifically within your organization, read our latest white paper, “Busting Threat Intelligence Myths: A Guide for Security Professionals.”