What is Vulnerability Prioritization?
One of the most important phases of the vulnerability management lifecycle is vulnerability prioritization.
In a perfect world, security teams would remediate all vulnerabilities as they’re discovered; patching and eliminating risks both large and small – but alas, “zero inboxing” in the realm of vulnerability management is a mere pipe dream. The reality is more akin to a nightmare, in fact, with an exponential rise in vulnerability volume over time. In other words, the problem is getting worse, not better.
With this ever-expanding threat landscape in mind, it’s important for organizations to focus on the vulnerabilities that pose the most risk to their unique situation. This is accomplished through vulnerability prioritization: ranking and attacking risks based on potential impact to the business, generally working backwards from critical to low.
Vulnerability Scanning Vendor Prioritization
Given the complexity, it may come as a surprise that there are no formal standards or general best practices for how to prioritize these vulnerabilities based on risk to the organization. There has been plenty of research in this area, however there is no consensus on the best approach for a variety of reasons, including the fact that most organizations have different perspectives on the importance of various risk factors in the vulnerability prioritization formula.
Vulnerability scanning vendors typically provide excellent vulnerability context, relying on things like CVSS score, exploit availability, and potential impact – however they are blind to the business context of the assets impacted by each individual vulnerability and lack up-to-date vulnerability intelligence on exploit activity. Just like how it’s not feasible for your team to fix every single known vulnerability, it’s also impossible for these vendors to understand each and every business environment nuance and account for it in their severity rating.
So, while vulnerability scanning vendors are helpful in telling organizations which vulnerabilities pose heightened risk and need attention in general, the true risk posed by any given vulnerability depends entirely on other factors related to the assets impacted by the vulnerability, compensating security controls in place, in addition to exploitation activity occurring in the wild. For accurate risk-based prioritization, it’s critical for organizations to fully contextualize the vulnerability data generated by vulnerability scanning tools and all other sources of vulnerability data in the enterprise – e.g. attack surface monitoring tools, bug bounty programs, configuration scanning tools, etc.
Vulnerability Prioritization with Nucleus
The following steps outline how the Nucleus customized risk scoring algorithm works.
Step 1 – Vulnerability Score
Nucleus first calculates a vulnerability score for each vulnerability based on the information provided by the integrated scanning vendor (e.g. severity, CVSS score, ease of exploit, exploit availability, etc.) and other sources of vulnerability intelligence (e.g. NVD). Note, vulnerability attributes such as Severity, are editable in Nucleus, meaning changes to vulnerability attributes you make during vulnerability analysis and triage are factored into the Nucleus risk score.
Step 2 – Asset Risk Score
Next, Nucleus calculates the risk score of the impacted asset based on custom risk attributes provided by the organization (can be automated) including:
- Business criticality
- Data sensitivity
- Public-Facing (determined automatically by Nucleus based on IP address)
- Compliance-Scope (Is the asset in scope for a compliance audit)
Step 3 – Risk Attribute Weights (Optional)
We realize that every organization prioritizes vulnerabilities differently (because they have to, if they’re doing prioritization right). Nucleus allows the user to tell Nucleus what asset criteria are most important to your organization when it comes to prioritizing vulnerabilities. Risk attributes can be weighted 0 – 10 at the Organization or Project level, based on how heavily you want them weighted in the Nucleus risk scoring algorithm.
Step 4 – Automatic Vulnerability Prioritization
Nucleus automatically prioritizes your vulnerabilities based on the combination of the Vulnerability Score, Asset Risk Score, and the risk attribute weights configured by the organization. See which vulnerability on which asset poses the greatest risk to you based on all the criteria that Nucleus knows of your unique environment.
Nucleus combines the best of both worlds: valuable risk scoring from integrated vendors and equally valuable contextual input from within your unique environment… resulting in accurate prioritization that is customized to our customers. Ready to see how? Watch our demo on demand.