Is That Vulnerability Critical? Judging the Severity of Threats With Threat Intelligence
March 15, 2019 • Zane Pokorny
Over 16,500 known security vulnerabilities were cataloged in 2018. That’s more than 45 a day. Who can keep up?
Managing vulnerabilities continues to be a thorn in the side of security operations for any organization. But taking a “patch everything, everywhere” approach is impossible to do in a timely way and at scale — and as digital footprints grow larger, the problem will only become more complex. The best approach to managing vulnerabilities is to prioritize them based on the actual threat they pose. And the best way to get the context needed to prioritize what to patch and what to ignore is with fast, accurate, and easy-to-use threat intelligence.
To see how cyber threat intelligence improves vulnerability management, we’ll have to answer the following questions:
- Why are there so many vulnerabilities?
- What makes a vulnerability critical, and how do we judge the severity of a threat?
- Why shouldn’t we just patch them all?
- How can we prioritize vulnerabilities better with real-time threat intelligence?
Why Are There so Many Vulnerabilities?
A vulnerability is most simply defined as a flaw in a system’s software or hardware that could be exploited to harm that system. It’s usually an unintended side effect or weakness that comes about because, well, software and hardware development is hard.
The complexity of most programs these days — even simple phone apps are written with code usually tens of thousands of lines long — means that it’s basically impossible to test every possible interaction, edge case, or quirk. And that’s setting aside the fact that some vulnerabilities are just caused by ignorance, neglect, or poor practices.
This makes vulnerabilities a more or less inherent feature of all systems whose development is constrained by time, money, or expertise — which is all of them, unfortunately.
What Makes a Vulnerability Critical? How Do We Judge the Severity of a Threat?
There’s a few ways to measure how critical a vulnerability is. One in widespread use is the Common Vulnerability Scoring System (CVSS). We’ve done a more detailed breakdown of CVSS scores before, but here are the basics: CVSS scores are assigned to vulnerabilities on a scale of zero to 10, based on how easy it is to exploit a vulnerability and how damaging it would be if it were exploited.
As a hypothetical measurement, scoring based on these two criteria certainly makes sense, and it provides a good outline of the risk a vulnerability poses. What scores like CVSS often lack is context, like whether threat actors are actually targeting a specific vulnerability. It’s a lack of context (and alarmist media coverage) that makes us worry disproportionately about getting a deadly disease like Ebola, when the reality is that most of us are far more likely to suffer from a stroke or heart attack.
So the severity of a vulnerability should be measured in two ways: not only how easy to exploit it is and how damaging it might be, but also whether it’s a vulnerability that’s actually being targeted. Because not all of them are — after all, with thousands of new vulnerabilities identified each year, the bad guys can’t get around to every one of them either!
Why Shouldn’t We Just Patch Every Vulnerability?
The broader question of whether we could patch every vulnerability if we had the resources has more or less definitively been answered in the negative. There’s just too many of them. But what’s more, there’s no need to patch all vulnerabilities, and any approach to vulnerability management that’s oriented toward the goal of patching up as many holes as possible — even while recognizing that it’ll be impossible to do this perfectly — is not the ideal approach.
To say that we should patch every vulnerability is to claim that every one of them is critical. But when everything is critical, nothing is. A critical issue should be one that needs to be resolved immediately. That takes prioritization based on finding the common ground between which vulnerabilities affect your systems and which vulnerabilities are being exploited, and then ranking the severity of that subset.
How Can We Prioritize Vulnerabilities Better With Real-Time Threat Intelligence?
So what we really want to do is laser focus on the vulnerabilities that actually matter in our systems. We’ve identified that we need context from both inside and outside our networks — that is, an understanding of what our own system looks like and what vulnerabilities are present, an awareness of what’s actually being targeted in the wild, and a way to integrate those two sets of data.
Again, with so many vulnerabilities being discovered daily, this needs to happen fast. The answer is real-time, automated threat intelligence that gets in front of the people who need to use it right away.
One solution, for example, is the Recorded Future Browser Extension, which layers right on top of browser-based security applications. In the context of vulnerability management, it means that users can access threat intelligence immediately while they’re reviewing vulnerability scan data. Good threat intelligence should not add to your burden of sorting through information, but do the sorting for you.
Better prioritizing vulnerabilities is just one way threat intelligence helps security teams. To see other use cases, download a copy of our e-book, “5 Ways to Supercharge Your Security With Threat Intelligence.”