Turning Data into Action: Intelligence-Driven Vulnerability Management

Prioritizing vulnerabilities with context has always been a challenge for vulnerability management teams – and this task isn’t getting easier as published CVEs continue to grow. To remedy this, many enterprises are forced to invest in products and services to protect their environments with various intelligence data and tools. In this blog, we explain how Tenable Vulnerability Intelligence and Exposure Response help organizations to make data-driven decisions to better prioritize and operationalize their programs.

Vulnerability management presents a seemingly insurmountable obstacle for organizations: How to deal with a massive and rapidly growing number of published Common Vulnerabilities and Exposures (CVEs). As an organization that has been focused on vulnerability management from the beginning, Tenable also grapples with this issue but with an added complication: because of our broad customer base, we need to cover as many CVEs in as many products as possible while maintaining risk context, accuracy and reliability.

The solution isn’t to try to check for every possible combination of CVEs and affected products. We have to prioritize the most critical vulnerabilities with accurate and targeted context. To make these decisions quickly and precisely, Tenable leverages a vast, searchable database of vulnerability information from both external sources and from Tenable Research. This is the same data source that drives a new capability in the Tenable Vulnerability Management product called Vulnerability Intelligence, which is aimed at helping customers better operationalize their vulnerability management programs and make quick data-driven prioritization decisions.

It’s bad and getting worse

We’re only halfway through 2024, and we’re well on pace to exceed 30,000 published CVEs this year. Further complicating matters, we’re seeing more and more CVEs in underlying components, frameworks, and language libraries. This means organizations aren’t fixing a single application but rather tracking down and fixing every application that leverages the impacted vulnerable component.

Leveraging Vulnerability Intelligence to build prioritization strategies

 At Tenable, beyond our everyday efforts to provide up-to-date vulnerability coverage for releases of major products, we are constantly on the lookout for the next major vulnerability to ensure we can respond as quickly as possible. Leveraging the contextual data from Vulnerability Intelligence is critical to ensuring we can make informed decisions quickly. Additionally, with the significant backlog that the National Vulnerability Database (NVD) is facing, our Vulnerability Intelligence dataset has allowed us to keep up to date with the latest vulnerabilities and risks as we are not tied to a single data source.

Opening up Vulnerability Intelligence brings you to a set of hexagons that represent risk categories of vulnerabilities that we want to highlight as having the highest level of threats. While not exclusively the decision criteria used, the categories in Vulnerability Intelligence are based on data points that feed into the Tenable Vulnerability Database which drives our risk rating decisions. 

Categories include: 

• Emerging Threats is a set of vulnerabilities that are being actively monitored by our Security Response team and often have a direct path from that team to the development of plugins to cover those vulnerabilities, particularly those in the Vulnerabilities of Interest and Vulnerabilities of Concern category.
• VPR gives our teams a numerical score to quickly input and sort on, though as with any score, understanding the context behind it is critical.
• Ransomware highlights vulnerabilities associated with this type of attack, particularly in major enterprise applications as those can lead to attacks that are particularly dangerous for any organizations.

As can be seen in the screenshot above, focusing on any of these target categories can significantly reduce the numbers of CVEs to focus on. Contrasted against the about 250,000 CVEs that have been published, the numbers above become far more manageable and speak to real risk, as opposed to the severity scores that come from leveraging CVSS metrics.

Turning data into a prioritization strategy

Many organizations are still building operations around basic prioritization metrics - whether it’s targeting specific products, CVSS scores or proprietary mandates. Often this is because of a need to adhere to a specific compliance standard, or simply because of a need to have something that can be measured. While tracking and measuring against a simple CVSS score or severity can be straightforward, it does not provide a lot of context and it is not a strategy that has a demonstrable impact on risk.

That’s where the new Exposure Response capability in Tenable Vulnerability Management also helps us. Exposure Response enables teams to develop vulnerability management strategies that are measurable and reflect real world risk. One of the most important tools in any VM program is the ability to track performance. Unfortunately, most graphs end up looking like a flatline because the number of new vulnerabilities coming in ends up canceling out the number of vulnerabilities that get remediated on an ongoing basis. By having more focused targets, it is possible to truly measure performance over time and set achievable SLA targets.

CISA KEV Initiatives

Die Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog (KEV) has become a valuable and popular resource that brings focus to a particular set of vulnerabilities which have evidence of exploitation in the wild. While the KEV is not comprehensive, the risk associated with these particular CVEs, and the attention many organizations pay to the KEV, has made it one of several benchmarks our Tenable Research teams use for tracking vulnerability coverage. Using Exposure Response, vulnerability management teams can similarly create a trackable CISA KEV-based initiative to benchmark their remediation efforts against. As mentioned previously, SLAs and benchmarks are critical for any remediation strategy. We strive to have coverage for KEV vulnerabilities as quickly as possible, ideally before they hit the KEV but, if not, often within hours of publication to the KEV.

Exposure Response provides the exact tools needed to put these sorts of measurements into place. Given the visibility and risk associated with the KEV, it may make sense to set an SLA of just a few days and aim for maintaining a benchmark of >90% of findings remediated. The key is ensuring that the strategies that are put in place are measurable and achievable.

Unlike the 250,000 CVEs that have been published, to date there are only 1,134 CVEs in the CISA KEV catalog. With only a handful of CVEs added to the KEV each month, this is an impactful set of CVEs that teams can actually measure performance against.

Fazit

Prioritization and operationalization of vulnerabilities has long been a major challenge for vulnerability management teams. The sheer number of vulnerabilities published year after year means that teams simply can’t keep up and the lack of easy-to-access context means that prioritization is often either a guessing game, a massive amount of work, or a limited effort that falls short, such as focusing only on CVSS severities. Tenable Vulnerability Management introduced Vulnerability Intelligence with all the context needed in one place and Exposure Response to operationalize the targeted and measurable vulnerability management workflow.

Mehr erfahren

• Attend our webinar, From Frustration to Efficiency: Optimize Your Vuln Management Workflows and Security with Tenable
• Lesen Sie die Pressemitteilung
• Get more information about Vulnerability Intelligence and Exposure Response
• View the Tenable Vulnerability Management product page