Counting Vulnerabilities. Assessing Threats. Frictionless Remediation
- Feb 25, 2015
- Michelangelo Sidagni
A couple of days ago I read an interesting article in the Tenable Network Security Blog — here — where the author was arguing that the number of security vulnerabilities detected in a network is not a good indicator of risk that the network itself is facing against motivated attackers and malware.
In the above-mentioned blog post, the author states “Telling an organization that they have 10,324 vulnerabilities, whilst shocking, doesn’t convey the actual risks faced”.
I totally subscribe with this view since the number of vulnerabilities is not an indication of the security risk faced by the organization. Otherwise, most of the organization that use NopSec solution Unified VRM would be doomed and destined to compromise since at the beginning they have hundreds of thousands of unique and critical security vulnerabilities.
The Tenable blog post author goes on to mention several reasons why just the total number of vulnerabilities is not a sufficient statistics to convey the security risk an organization might face. Those include:
In recommending other additional metrics to improve the efficiency and effectiveness of vulnerability management, the article author recommends to consider:
Then the author goes on to recommend to prioritize vulnerabilities by CVSS base and temporal score. And that where my opinion differs from the article’s author.
It has been widely demonstrated that the CVSS score is not a sufficient metric to judge the risk an organization is facing due to a vulnerability, for the following reason:
In Unified VRM the above-mentioned risk components are included in the risk calculation, including:
On top of this, Unified VRM Expert Engine verifies and re-prioritizes vulnerabilities based on an expert penetration testers’ knowledge base.
To put into perspective, NopSec has customers with hundreds of thousands of critical vulnerabilities detected. Which ones should be remediated first? Unified VRM structures that prioritization process for the customer so that they can focus on what matter the most, that is critical vulnerabilities on critical infrastructure and application assets, with available public exploits used by active actors and active malware, and with relevance in social media conversations.
All these risk prioritization is pre-canned on the Unified VRM product, so that organizations could focus on what matters the most: their business.