According to this year’s Verizon Data Breach Report, half of exploitations happen between 10 and 100 days with the median time being around 30 days. Of these exploitations, 85% of them are successful by using the top 10 most common vulnerabilities while the other 15% consist of over 900 possible CRVs being actively exploited in the wild. With all of the scanning data and thousands of vulnerabilities, how do you know if your organization has any of the scary top 10? Manually sorting through and normalizing all of the data is rarely efficient, especially in large organizations. What you need is a way to automatically prioritize these exploits.
1 – Relevancy and Priority can help with Compliance While the top vulnerabilities vary within each industry, typically there are known vulnerabilities that must be patched in order to remain compliant with PCI, HIPAA, NIST, or other industry and government regulations. Should your team have to know all of the regulations for your industry, or just the ones that apply to you? For example, what if your organization only has to worry about PCI regulations 1-10? Wouldn’t you want a way to filter out the rest of the hundreds of regulations that don’t impact your compliance? Knowing what vulnerabilities are most important to your industry will help inform your attack strategy and help you remain compliant.
2 - Customize to Your Needs While filtering by industry regulations and prioritizing the vulnerabilities most detrimental to you are indeed time savers, your need must go beyond the top 10 most common or top 10 to remain compliant and understand what really affects your organization beyond the norm. Prioritization shouldn’t stop with categorizing your organization only by its industry. You need the ability to build priorities that matter to your individual organization so that you can weed through the thousands of lines of scanner data and see what vulnerabilities make up your 85%. While most prioritization uses CVSS scoring to tell you what vulnerabilities should be most important, make sure that you are also able to prioritize using historical data, length of availability of exploits, and anything else that is unique to your organization. Did you know that 99% of the vulnerabilities in breaches have exploits that are over a year old? By using both industry standards, historical data, and exploit history you can construct an attack strategy that is unique to your security needs.
3 - Wash, Rinse, Repeat Prioritization, like scanning, isn’t a one-time activity. Once you have scanned, prioritized, and patched your greatest vulnerabilities it’s time for a repeat. However, all of the work that you have done shouldn’t just be forgotten, it should be stored to increase the amount of historical data in your system. By consolidating your scanners you can create a repository of vulnerabilities and exploits and help establish your organizational standard. By matching known exploits to priority vulnerabilities you can test for the most vulnerable points of your network whenever you wish.
Remember – malicious hacker’s don’t care what a vulnerabilities’ CVE score is or if it is required for your industry regulations. Bad actors only care about what they can exploit which means that all vulnerabilities are fair game. Make sure you are protecting your network by prioritizing which of these vulnerabilities are the most attractive to the hackers and reducing your threat surface immediately.