Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products

500 views

Published on

During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit. 

Full write-up and video: https://avleonov.com/2019/05/31/phdays9-new-methods-of-vulnerability-prioritization-in-vulnerability-management-products/

Published in: Data & Analytics
  • Be the first to comment

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products

  1. 1. Alexander Leonov New ways of Vulnerability Prioritization in Vulnerability Management products
  2. 2. #whoami • Alexander Leonov • Lead Information Security Analyst • 10 years in Vulnerability Management • Follow me at avleonov.com, t.me/avleonovcom
  3. 3. The best year for Vulnerability Management • VM vendors finally (after 20 years!) recognized the problem with vulnerability prioritization and started offering some solutions • The problem: • Most of vulnerabilities that Vulnerability Scanner can detect are unexploitable and worthless for an attacker • Even if they are labeled as “Critical”, “High”, etc. • Even if they are labeled as “Exploit exists” • You still have to fix them and face negative reaction from IT (remediation efforts, down time, “The Boy Who Cried Wolf”)
  4. 4. Vulnerability Management vendor Vulnerability Research Content Making for Vulnerability Detection 109 000 plugins 170 zero days
  5. 5. Making Vulnerability Detection content Vulnerability Knowledge Base advisories exploits metrics + Detection Plugins + Transports Vulnerability Scanner CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … parsers
  6. 6. Vulnerability Knowledge Base A Platforms (OSes) x B Software Vendors making products for Platform x C Products made by each Software Vendor x D Vulnerabilities in each Product x E Vulnerability detection methods (authenticated and unauthenticated)
  7. 7. Patch-based Vulnerability checks
  8. 8. Scanner detects, prioritization is up to you!
  9. 9. And finally in 2019… Prioritization Predictive Intelligence
  10. 10. What is the idea? • Existing vulnerability prioritization frameworks (CVSS) are bad • Prioritization should be based on probability that vulnerability will be used in attack • We will do this using feeds of vulnerability-related data and AI • We will constantly update this new score for all vulnerabilities • You will get 3% of the most critical vulnerabilities and fix them • IT guys will hate you a little less ;-)
  11. 11. What is wrong with CVSS • CVSS is subjective
  12. 12. What is wrong with CVSS • CVSS is about technical severity, and not about risk • CVSS scoring algorithm is not justified “while the descriptions for the metrics are clear, how their relative importance was selected is not”
  13. 13. What is wrong with CVSS • Failure to account for context (both technical and human-organizational) • Failure to account for material consequences of vulnerability (whether life or property is threatened) • Operational scoring problems (inconsistent or clumped scores, algorithm design quibbles)
  14. 14. What is wrong with CVSS • Too many critical vulnerabilities • 16500+ vulnerabilities disclosed in 2018 • 61 % - CVSS 7 + • 15 % - CVSS 9 + • When everything is critical nothing is critical
  15. 15. What is wrong with CVSS • Too many critical vulnerabilities • From CVSS v.2 to CVSS v.3 it become even worse Tenable “Predictive Prioritization: Data science lets you focus on the 3% of vulnerabilities likely to be exploited”
  16. 16. Why not to use CVSS with Exploit DBs? • + Only 7 % of vulnerabilities has publically available exploit • – Not all of them can be actually used • – It doesn’t give the information which vulnerabilities are likely to be exploited in the near-term future
  17. 17. Lack of visibility (understandable) 4.2 Somewhere in VM vendor’s cloud CVE-2019-0708?
  18. 18. What do VM Vendors offer? • We analyze 150 different aspects of vulnerability, some of them kept in secret: • CVSS (Base, Exploitability, Impact scores) • NVD (Descriptions, CWE, dates, vendors) • Threat Intelligence, such as "Recorded Future" (attacks and exploit dates, popularity in social media and darkweb) • Exploit Databases (entries and dates) • Count probability that vulnerability will be exploited in future • Update predictive prioritization data daily for all CVEs
  19. 19. What do VM Vendors offer? Tenable “Predictive Prioritization: Data science lets you focus on the 3% of vulnerabilities likely to be exploited”
  20. 20. What do VM Vendors offer? • Key drivers: • CVSSv3 impact score • threat recency • threat intensity • exploit code maturity • age of the vulnerability • product coverage • threat sources
  21. 21. Can we do the same by ourselves? Need more data feeds…
  22. 22. The Cost of an Error • Vendor says that vulnerability won’t be used in attack What if YES?
  23. 23. We need to go deeper • Use Asset Management data for prioritization • Predict attack scenarios
  24. 24. 24 Thanks! Alexander Leonov avleonov.com

×