Even organizations with a well-oiled vulnerability detection and patch implementation processes struggle to keep pace with the endless stream of newly discovered vulnerabilities. Although we must continually work to shrink the average time it takes to patch vulnerabilities, we must also acknowledge it is impossible and unrealistic for large organizations to patch new vulnerabilities in anything close to real-time.
The conversation then must shift to patch prioritization. How should organizations prioritize patch deployment? Most vulnerability scanners provide a simple CVSS score or some sort of severity ranking. While these are a good start, only a bit more information can create a more accurate, data driven vulnerability remediation process.
Vulnerability prioritization needs to consider two factors. The first, and most obvious, is severity. Typically based on how difficult the vulnerability is to exploit, or how common packaged exploitations are. Most vulnerability tools provide an adequate severity score.
The second, commonly overlooked factor is utilization. Vulnerable applications and operating systems frequently used by a large number of users on a wide range of devices need to be prioritized. Its common sense that a vulnerability scored a 7 or 8 that runs on every device in your network needs to be dealt with before a level 9 that is on an application used sporadically by a few users.
The ability to link vulnerability and utilization data is key to accurate prioritization, and must be a goal for security professionals tasked with vulnerability and patch management.
AristotleInsight is a big data security analytics solution implementing the UDAPE model. The solution collects, links, and organizes security data in order to establish baselines, conduct user behavior analysis, recognize anomalies, and detect advanced persistent threats.