2. Out with the Old...
2
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2015 2016 2017 2018 2019
CVE'S / YEAR
3. In with the new...
• A risk-based approach to prioritizing the remediation focuses efforts on those vulnerabilities for
which there are imminent threats prevailing “in the wild” for a business-critical asset. – Gartner
• They use primarily two other forms of data. Threat intelligence on attacker activity and
vulnerability use in malware, and internal asset exposure and criticality to provide
fundamentally better view of real risk for an organization to understand cyber risk and prevent
breaches. – Gartner
3
6. 6
• It isn’t!
• The meaning or intent behind
the ‘number’ is what's important
• It doesn't even need to be a
number
• It's about your appetite for risk
How important is the number?
8. • Degree of risk deemed
acceptable in pursuit of goals
• Amount & type of risk you are
prepared to pursue
Risk Appetite
9. • Business risk
• What are your most critical
assets?
• Are any exposed directly to the
internet?
• Vulnerability context
• Exploit available?
• CVSS score
• Should match company risk
statements
• Model likelihood vs business
risk
Understanding ‘Your’ risk appetite
10. Understanding risk appetite
R1 Critical asset, containing PII data
R2 Internet facing, containing no PII Data
R3
Low risk asset, containing internal
information only (Canteen menu)
Likelihood of vulnerability exploit
No Unlikely Likely Very likely Exploited
BusinessImpact
Severe
Large
Moderate
Small
Insignificant
R1
R2
R3
Risk appetite / tolerance
11. 11
• Use the capabilities of the VM
tools to
• Identify and group assets by
exposure and criticality
• Use threat intelligence to enrich
each vulnerabilities threat
context
• Reduce the number of in scope
vulnerabilities
Putting it into practice
Full stack
cyber security
assessment
Identify
Assess
Prioritise
12. • Focus on the top 10% of
vulnerabilities
• Improve remediation effort
without impacting resources
• Reduce business risk
12
The Goal
14. Low risk = compensating controls
Likelihood of vulnerability exploit
No Unlikely Likely Very likely ExploitedBusinessImpact
Severe
Large
Moderate
Small
Insignificant
15. • Understand the vulnerability
• Potential for exploit
• Attack vectors
• Potential damage
• Map to a compensating control
• Web application firewall
• Intrusion prevention
• Next Generation firewall
• 2FA / MFA
Compensating controls as a means of remediation
Still need to patch. Potentially too many for limited resources
17. Vulnerability Prediction technology
Machine Learning is also being used by some providers to help predict
the likelihood that a vulnerability will be exploited “in the wild.” As
this continues to improve it will prove to be a real boon to risk
management, as well as security operations, as it allows organizations
to prioritize and focus on higher-risk scenarios
– Gartner on VPT
18. • Doesn’t focus on the past
• Already exploited
• Machine learning based
• Tracks multiple metrics to
determine overall risk
Understanding Predictive
risk
19. • Shift from focusing on
yesterday’s news
• What will happen next week,
month, year
• like a weather forecast
• Puts you AHEAD of the threat
actor
19
Exploit predication – its value in risk remediation
20. 10th March
Release CVSS 10
10th March
likelihood: 2.0
24th April
Likelihood: 30.5
Equifax breach
Mid May – Aug 17
Move ahead of the threat
20
CVE-2017-5638 : Apache Struts
Initial prediction 2X likely of exploit
30 times more likely to be exploited
Early warning to remediate
Before exploited in wild
Equifax announced
breach Sept 17
21. • Likelihood: total findings impact
21
• Likelihood: unique CVE impact
Exploit prediction in action (Outpost24 Farsight)
Value
Total Risks (Excl No CVEs Findings) 1,183,089
High Risks 381,812
High & Exploit 18,594
25+ 76,484
30+ 74,506
30+ & Exploit 17,963
32%
2%
6%
6%
2%
Unique CVEs
Total Risks (Excl No CVEs Findings) 18,687
High Risks 7,861
High & Exploit 926
25+ 2,085
30+ 2,005
30+ & Exploit 607
42%
5%
11%
11%
3%
22. Vulnerability exploit prediction
• Predicts the likelihood of a
vulnerability being exploited
• Helps focus attention on the true
risks to the organisation
• Reduces the overall workload,
increases efficacy of the team
• Puts you ahead of threat actors
22
23. Final thoughts
• Risk based vulnerability management is key to gaining control
• But don’t get hung up on a ‘risk number’
• Build a risk model
• Business criticality of assets
• Vulnerability threat context
• Ie exploit likelihood
• Focus on those top 10% of the most riskiest vulnerabilities
• Get ahead of the threat
23