If you’re like most IT professionals, you’re working hard to keep control and manage risk using all the tools and team members at your disposal. But which vulnerabilities actually have the potential to interrupt key business processes? The answer isn’t always so simple.
Or, when you’re faced with a long list of vulnerabilities, how do you know which to address first? Some vulnerabilities come highlighted with red text and frightening words like “critical.” These seem very dangerous but may in reality be very hard to exploit. Other vulnerabilities are scary because they’re easy to exploit, even if they don’t actually affect any of your mission-critical devices. Which of these should you resolve first?
Finally, since you can’t just guess which vulnerabilities attackers will ultimately choose to exploit, perhaps you should just try to remediate all those found in your environment … Or would this simply lead to a tremendous waste of valuable resources? (Since your team is almost certainly needed elsewhere!)
The answer to all of these questions is risk prioritization. In this post, we’ll look at some standard ways of juggling cyber risks and offer tips to help you better understand how to keep your organization safe.
The most common approach to threat prioritization is a rating system known as the Common Vulnerability Scoring System (CVSS). Oversight for CVSS is provided by the Forum of Incident Response and Security Teams (FIRST).
The goal of CVSS is to provide a very clear, numerical rating system from 0 to 10 that tells security professionals objectively and precisely how risky a particular vulnerability is. The CVSS rating looks at factors like attack vector, complexity, privileges required to exploit, user interaction, and the vulnerability’s potential effect on the “CIA Triad” of information security: confidentiality, integrity, and availability.
On the surface, CVSS seems like it would provide a very clear measure of risk. That’s why, when it comes to risk prioritization, many organizations begin with it. The system makes it easy to look up a vulnerability, determine which software is vulnerable, and find any relevant fixes.
However, there are two major problems with CVSS:
- A massive number of vulnerabilities are CVSS-tagged as high or critical, even though very few of these are ever actually exploited in the wild.
- The CVSS rating has no connection with how mission-critical your affected devices and apps are, meaning that they can distract your attention from protecting your most vital resources.
Don’t get us wrong; CVSS is a good indicator of severity and can be a decent starting place. But it doesn’t say much about the potential impact on your business. And because of the very large number of high or critical ratings, looking at CVSS alone can create a massive amount of unnecessary work—while giving you results that aren’t entirely relevant to your business.
Since prioritizing threats in a vacuum is clearly an imperfect system, many organizations attempt to prioritize vulnerabilities by the importance of the assets affected.
Asset-based prioritization begins from the assumption that you know where your mission-critical assets are. Working from there, you can connect this information with other measures (such as the CVSS score) to create a clearer risk picture.
The biggest drawback of this approach is that you can’t protect assets you don’t know you have. Inventorying assets can quickly turn into one of the most time-consuming aspects of cyber risk management. That’s why some of today’s solutions offer automated discovery, simplifying this piece of a complex risk puzzle.
Beyond automating discovery, this type of intelligent asset management can also help you:
- Understand which assets you have, with no blind spots across your organization (on-premises and in the cloud)
- Assign a priority level to assets based on their function within your business
Asset prioritization can also help you capture information like whether an asset is customer-facing, whether it holds sensitive data, and the potential impact of an exploit. This can save you not only the work of inventorying, but also a lot of time spent prioritizing risks as you move forward.
When vendors release patches, they indicate the severity of the vulnerability that the patch is meant to fix; this is a very helpful guideline to steer your organization’s vulnerability remediation program. The most common example is Microsoft’s Patch Tuesday—since Windows is still the most common system out there.
These measures are valuable but fail to take into consideration:
- How mission-critical that vendor’s app is to your business’s big picture
- Other necessary patches, workarounds, and remediation steps
In addition, to cover themselves legally, vendors often mark a vulnerability as critical when its potential impact on your actual environment may be minimal.
In fact, out of 1,331 updates released by Microsoft from January to August 2021, all but six were marked “Important” or “Critical.” Of these, 20% were critical, meaning Microsoft recommended that security teams implement 270 updates immediately. (“Important” updates are supposed to be rolled out “at the earliest opportunity.”)
Who can keep up with this workload? The answer is that few organizations can. And in the face of the non-stop deluge of critical vulnerabilities, many give up even trying to achieve total remediation.
Another key drawback of rolling out releases according to vendor priority: Every vendor assumes you will remediate their risks first. In the real world, however, this isn’t always possible or desirable, since you must remediate your most mission-critical software and processes first.
Automation can be one of the best ways to help balance vendor patch releases with your own business priorities and goals. An automated patching solution will pull in relevant vendor releases and create actionable solutions, along with predictive intelligence to ensure that you can roll out patches efficiently, with as little downtime as possible.
Other Prioritization Factors
The three prioritization factors we’ve looked at here aren’t the only way that vulnerabilities are being ranked and remediated in the real world.
Other sources can provide information on what’s actually going on out there in the wild. A threat intelligence approach, for example, can help you understand how likely a vulnerability is to be exploited. But a big drawback of this approach is that it can create a false sense of security. And even the best threat intelligence can’t predict new types of exploits.
Other ways that organizations prioritize vulnerabilities include:
- Scrambling to remediate risks as they’re reported, which is almost always a losing battle and a lot of work for vulnerabilities that may never be an actual problem
- Attempting to remediate the easiest risks to fix, figuring they’ll get them out of the way—again a lot of work for vulnerabilities that may not represent a major problem for your business
Obviously, neither of these efforts is going to produce a comprehensive solution.
Finally, some tools out there use so-called “proprietary” prioritization algorithms that they claim provide better insights. Many of these basically just repackage CVSS with slight modifications to the numbers. And even worse, they often don’t provide transparency into how they determine priority scores; so, just as with CVSS and vendor releases, the numbers they issue won’t actually reflect your business’s realities.
JetPatch: Intelligent, Automated, Effective
Given all the methods of prioritizing risks that we’ve explored here, it’s clear that you need a modern solution that lets you prioritize vulnerabilities as efficiently as possible. JetPatch is a vulnerability remediation platform that provides the intelligence and automation to turn those priorities into actual remediation.
Because even with prioritization and risk analysis, your best bet when it comes to keeping your organization safe is getting your total time to remediation (TTR) as close to zero as possible. You’ll probably never accomplish this with manual processes, but with JetPatch, it becomes a hassle-free reality.
How does JetPatch make this possible? By covering the full cycle of risk discovery, prioritization, and remediation with:
- Automated asset discovery
- Risk, patch, and update information from a wide range of industry sources
- Predictive patching and patch automation to cut downtime when you roll out fixes
- Validate the health status of endpoints and applications post-patching
With JetPatch working for your team, you’ll have full transparency and control with the help of automation to remove the burden. Only you can determine your organization’s priorities; then JetPatch helps you get where you need to be.