Build Better Vulnerability Management with Threat and Vulnerability Intelligence
The goal of every vulnerability management program is to reduce the risk posed by vulnerabilities that exist in the organization’s environments.
You can achieve this goal in two ways. The first is to move faster, remediating vulnerabilities faster than they can arise. The problem with this approach is that it doesn’t work. It is inefficient, expensive, and impractical. There are simply too many vulnerabilities.
The second approach is to get more precise, prioritizing and addressing the vulnerabilities that pose the most risk. Rather than playing the numbers game and addressing vulnerabilities as fast as possible, focus instead on the issues that are most likely to be exploited. This approach requires the strategic integration of threat intelligence into your vulnerability management program.
Focusing on What Matters Most
The stark reality for vulnerability management is that there is a deafening amount of noise. During our fireside chat with Google at RSA, Aaron Unterberger, Director of Sales Engineering at Nucleus, summarized why vulnerability intelligence plays a key role when it comes to risk prioritization:
“It’s just as important to know what to patch and what isn’t a threat. CISA did an analysis on all of the CVEs across all time, and it was around 3% of all vulnerabilities that had ever been exploited. That’s such a powerful lever in focusing that type of intelligence and saying, ‘What do we fix?’ and ‘When do we not cut a ticket, wake somebody, or cancel Christmas?’ I’m looking at you, Log4j!”
That incredibly low number comes from a November 2021 report. We aren’t advocating that you ignore 97% of the vulnerabilities found in your environment. However, the signal-to-noise ratio is incredibly high. This underscores the crucial role threat intelligence plays in prioritizing vulnerabilities that pose a real threat to the enterprise.
Understanding the Difference Between Threat and Vulnerability Intelligence
The distinction between threat and vulnerability intelligence is key; they are related but unique concepts. Vulnerability intelligence is a subset of threat intelligence, focused closely on vulnerabilities and their exploitation. Vulnerability intelligence is concerned with collecting, analyzing, and communicating information about vulnerabilities, associated risks, and which threat actors are exploiting them.
Google Threat Intelligence integrates Mandiant’s vast threat insights to provide vulnerability findings and important context into vulnerability prioritization decisions. The breadth of Google’s Threat Intelligence is summarized in this slide presented at RSA 2024.
Threat data is analyzed through these ten topics highlights important factors. It answers how easy the vulnerability is to exploit, the severity of a possible exploit, and whether the exploit is found in the wild or is being used by malware. This scoring rubric provides a depth of vulnerability intelligence that helps contextualize a vulnerability’s severity against the likelihood and severity of exploit.
The Power of Vulnerability Intelligence for Risk-based Prioritization
Modern vulnerability management deals with an overwhelming volume, velocity, and variety of data from many siloed sources. According to Tim Gallo, Head of Global Solutions Architects, CTIR at Google, “When we think about how we deal with vulnerabilities, one of the key aspects of what we end up with is there’s just way too much information and it’s not where it’s supposed to be.”
Employing threat intelligence within the vulnerability management program makes it possible to prioritize and address threats based on their exploitability potential. Let’s take, for example, the example of Log4j:
The left column contains details about the vulnerability itself: its CVE identifier, name, severity, and CVSS Score. Taken on its own, these details may indicate that the vulnerability needs immediate remediation. However, it doesn’t provide key factors. Is the vulnerability being actively exploited? Is it currently being used by malware?
Applying the vulnerability intelligence provided by Google Threat Intelligence, we get our answers and confirm the decision to act immediately. If, for example, threat intelligence showed that the vulnerability was not yet being exploited elsewhere, we could make a different decision and prioritize remediation differently.
The column on the far-right, Business Context, is an important third leg of this vulnerability intelligence ‘trifecta’ that deserves its own article to discuss, something we’ll cover in the future.
According to Gallo, “As we mature our threat and vulnerability management practices, business context is the language that allows us to get outside of our ‘tech bubble’ and into the actual business practitioners.”
Break Away from the Vulnerability Volume Race
Integrating threat intelligence into vulnerability management represents more than a technical adjustment. It’s a strategic decision to approach vulnerability prioritization more strategically and efficiently.
Enterprises can significantly enhance their security posture by prioritizing based on risk and focusing on threats with a real likelihood of being exploited. That’s why the Nucleus platform integrates multiple threat intelligence feeds, including Mandiant’s vulnerability intelligence, at no extra cost.
Ready to use vulnerability intelligence as a key part of your vulnerability risk management? Learn more about using Google Threat Intelligence to prioritize vulnerabilities in Nucleus make it possible to employ by watching the full recording of our conversation at RSA or watch our demo on-demand today.