Accelerate vulnerability response. Find out how at RSAC 2024, May 6-9. Meet With Us →

WATCH DEMO

What is Intelligence-led Vulnerability Management?

Nucleus Security > Resources > What is Intelligence-led Vulnerability Management?

Intelligence-led Vulnerability Management

In this episode of Nucleus Short Cuts, Adam Dudley and Steve Carter discuss intelligence-led vulnerability management, what it means, and how it applies to having a better vulnerability management program.

Short Cuts is a video series from Nucleus Security, providing insights and expertise from Vulnerability Management professionals around the globe.

Nucleus Short Cuts Episode Raw Transcript

Adam:

Why is being intelligence-led important to an organization in the context of having an effective vulnerability management program?

 Steve Carter:

Sure, sure. Well, I’d say probably first and foremost, vulnerability exploitation in particular has become one of the top, if not the top, initial attack vector in breaches and compromises in the last few years. That’s overtaking phishing, believe it or not. Some of the reports on this vary so you might look at the Verizon DBIR. We like the Mandiant M-Trends Report, obviously, but IBM puts out a good report, the X-Force Threat Intel Report.

 Steve Carter:

They all have vulnerability exploitation now as either the number one or the number two initial infection vector, which that’s a big change, right? It wasn’t even really on the radar five or six years ago. It’s in the last few years. Even when you look past the initial attack vector, vulnerability exploitation is involved in over 60% of breaches. So for example, it still is really common to have phishing as the initial attack or infection vector, but then there’s vulnerability exploitation as the next stage as attackers will pivot and escalate through your network.

 Steve Carter:

So I guess the natural question here is what’s going on and why the change in the last few years? I know one of the biggest reasons, I don’t know that anyone has an answer on this that they can back up entirely, but I think one of the biggest reasons is this upward trend in mass exploitation of vulnerabilities. A lot of times this is driven by initial access brokers and other folks, they’ve created this access as a service market. I know that’s another topic. That’s a fun topic we should probably dive into some other time, but all this stuff is really important because the way that most organizations today, even really large organizations are making those decisions on what to fix. It’s not even factoring in what we’re seeing in terms of exploitation in the wild, and like we’re talking about is more still using CVSS scores and vendor severities.

 Steve Carter:

I’m sure many in the audience are aware, you’re aware that those scores are just base scores. They never change. They don’t account for the dynamic threat landscape at all. So if you look at vulnerabilities with a CVSS score assigned… Well, look at vulnerabilities with CVSS version 3 score assigned in particular, I think over half of them are categorized as critical or high risk, which I think that’s above a 7.5 or 7.0, and-

Adam:

Good luck dealing with all those, right?

 Steve Carter:

Well, I mean, if you’re an SMB and you’ve got tens or hundreds of devices, you can generally keep up. You might be able to, but yeah, if you’re a large enterprise, in mid or large enterprise, tens or hundreds of thousands of devices and apps, millions of vulnerabilities, you can’t hire enough people to triage and patch this many vulnerabilities quickly.

 Steve Carter:

So I think the crazy thing about that number, too, is 75% of those that CVSS v3 ranks that high are just never exploited, right? So it’s like, okay, well, a lot of organizations are just wasting a heck of a lot of time patching things that don’t need to be patched right now. And more importantly, spending the time that way is kind of preventing them from responding faster to the ones that do matter so it’s…

Adam:

Yeah. I can’t imagine they really have the time to waste because we all know that there’s not enough cyber talent to go around. So certainly, you would want the people you do have, the talented people you do have focused on what matters most, right, rather than wasting amount of time, yeah.

 Steve Carter:

Exactly. They need to be as efficient as they can be and move as quickly as they can ’cause we know attackers are getting faster and faster.

Adam:

Right. Now you shared a report around recently that was talking about, it analyzed the last 10 years of vulnerabilities. It showed that vulnerabilities in all categories have just risen dramatically over the past 10-year period. So do you think just the general availability of vulnerabilities to exploits has played a role in vulnerability exploitation moving up towards phishing as the top attack vector?

 Steve Carter:

Yeah, like I said, I mean, the biggest thing I can point to is what I mentioned, which is the mass exploitation. That’s the thing that if you look at the trends in the last few years, there’s just way, way more of that than there used to be. Now, we’re seeing mass exploitation within minutes of vulnerabilities being announced in some cases, which is wild. So I think that has a lot to do with that increased volume, to be honest.

Adam:

Got it. Got it. Thanks, Steve. So we’ve shared a little bit about what intel-led vul management means, how it plays into a vul management program. My next question is how does our product, Nucleus, allow users to implement an intelligence-led vul management program?

 Steve Carter:

Sure. Yeah. Well, we could talk about this for hours, right? I guess at a really high level, the first thing that we do and the most important thing we do is that we correlate Mandiant’s vulnerability intelligence with all the vulnerability data that we ingest for our customers. This makes it really easy to analyze and triage vulnerability information through that lens of vulnerability intelligence to make sure you’re prioritizing consistently. Regardless of whether the vulnerabilities are from your network scanning tools, your Qualyses and Tenables, or your AppSec tools, or your third-party library scanning tools, you can do that all really easily now with Nucleus. And I should mention, we also incorporate other threat intel feeds and sources, but having Mandiant’s vulnerability intelligence correlated to all of the vulnerability data and Nucleus out of the box has really been game changing for a lot of our customers.

 Steve Carter:

But then the other big thing we do, just kind of high level, is that we make that vulnerability intelligence and that information accessible to our automation framework. So what that means is that reporting and ticketing and alerting, and a lot more actually, no time to go into, that can all be automated now with automation rules, that all… Sorry, that can use all of that vulnerability and threat intelligence, like whether or not vulnerabilities are being exploited in the wild, whether or not there’s zero days, exploited by ransomware, your automation rules can use all that information.

 Steve Carter:

Because it’s one thing to say that you’re using vulnerability intelligence and some kind of risk score or risk algorithm, which a lot of vendors do that. Scanning vendors do that, some [inaudible 00:06:59] competitors do that, and that’s useful for some things, but we all know that vulnerability risk scores are mostly a black box. And there are a lot of cases where you really want to take a very specific action on your vulnerability data and the specific vulnerability intelligence surrounding that data, and you can’t do that with a risk score, right, because you don’t know exactly why that score is what it is. And so, that’s one of the big things that we enable now.

Adam:

Right. Right. And I know from working in the app that Mandiant provides a tremendous amount of data in our platform to base decisions on, and also to make justifications right to different people on the team. If the analyst or engineer needs to provide evidence or justification for certain decisions, they can do that very easily with the mountain of data that Mandiant provides us.

 Steve Carter:

Exactly. Yeah. It’s a much, much more kind of higher fidelity in your decision making having access to that information, especially across all of your vulnerability information in the enterprise.

Adam:

Right. And you mentioned how customers are using this. And we just completed a case study not too long ago with one of our customers, who’s a very large utilities in telecom, and they were able to have a quick win with, as soon as we introduced Mandiant intelligence, they had something like 40 widely exploitable vulnerabilities according to Mandiant. And within a 30-day period, they were able to knock all those out and show management some real progress. Look, we were exposed and we knocked all these out. And so now, we’ve reduced our risk by X value.

 Steve Carter:

Yeah, yeah. Really, really quickly, big, big quick wins. That was an amazing one. I’m very familiar with that use case. And just thinking also, I mean, there’s that angle to it, but just in general, organizations that are at that stage where they’re really trying to mature their vulnerability management program, they start thinking about things like, okay, how can we prioritize based on what our CTI team or SOC team is telling us in terms of which bad actors, which threat actors and threat groups are targeting our organization, because we actually should probably focus on those first, right? So there’s prioritization within groups of high priority vulnerabilities that that can happen at a much more granular level now with Nucleus and Mandiant together so, yeah, it’s very cool.

Adam:

That’s a great point. Thanks, Steve. So that’s a wrap for today and thanks so much for joining us on Nucleus Short Cuts, and we’ll share any relevant links in the show notes, and we’ll see you soon on the next Nucleus Short Cuts. Thank you.

 Steve Carter:

Thanks for having me, Adam. Take care.

Adam:

You, too.