A common question I hear in discussions on vulnerability intelligence and IT security is, “Do I really need it?”. Perhaps many of you have the same query, or are wondering if you need a software vulnerability management solution. Before we get to the answer, it’s important to have a clear understanding of what a vulnerability is. A vulnerability is a flaw that can be exploited by a hacker or a cyber-criminal to compromise the system. My focus, in this blog post, is on vulnerabilities in commercially available software.*
So what is vulnerability intelligence?
Software vulnerabilities are reported and compiled by different sources, such as software vendors, public and government organizations, individuals and security vendors. What we at Secunia refer to as ‘vulnerability intelligence’ is distinctly different from the vulnerability information available from miscellaneous sources, is that particular software vulnerability or vulnerabilities, related to a particular application, are analyzed and verified by our in-house Research Team. The intelligence contains, among other things, historical data, information about exploits, criticality ratings, fixes and any information that can help security practitioners assess risk.
But if you ask me, vulnerability intelligence is just one part of the risk assessment framework. I think the framework should include considerations not only to vulnerabilities or threats, but also to the possibility of an attack and the impact of a successful breach.
Why use vulnerability intelligence? Here are 5 compelling reasons.
1. It is the foundation of a strong IT security strategy
According to a study by the Centre for Strategy and International Studies in 2013, 75 % of successful attacks used publicly known vulnerabilities for which there was a patch. What this means is a good portion of these attacks could have been avoided if companies and organizations had used vulnerability intelligence to mitigate the risks.
Vulnerability intelligence is the foundation of a good IT security strategy. It plays a role in each stage of your IT security strategy and is a part of the solutions and techniques in each stage – right from vulnerability assessment and patch management to application control, Security Information and Event Management (SIEM) and Network Access Control (NAC) to advanced threat detection. It brings content and enablement to different areas of IT security.
2. It is reliable
Another compelling reason is how reliable vulnerability intelligence is. As many of us know, the problem with vulnerability information from multiple sources is that it can contain unclear or conflicting reports. At times, the information is inaccurate – triggering a course of action that’s unnecessary or incorrect. At Secunia, we see that nearly 50 % of unverified reports of vulnerabilities contain incorrect data.
This is where vulnerability research comes in, because the knowledge of the vulnerability in itself is not nearly enough information to help organizations stay secure. Enriching the data with intelligence and the right software vulnerability management solution gives it a context and supports the first steps of risk assessment. It allows researchers to give a vulnerability a criticality rating which reflects the threat it represents and the impact it can cause to your environment. This enrichment involves collecting historical data, a description of exploits, information on attack vectors, suggested fixes and more.
3. It is a critical time saver
Verifying, correcting and rating vulnerabilities helps make sense of raw data, transforming it into vulnerability intelligence that’s reliable and can be used. And this reliability allows you, the IT security practitioner, to focus your time and efforts on protecting your environment rather than verifying information.
4. It is comprehensive and demystifies complexities
In addition to being reliable, vulnerability intelligence also needs to be comprehensive. After all, great information about a small selection of the threats you have to address every day doesn’t get you very far – that’s just more noise. In 2013 alone, at Secunia, we reported over 13,000 vulnerabilities in almost 2,300 products, and that number increased in 2014. Correlating this information to your complex environment is tough, as IT infrastructures today are changing rapidly and environments are looking increasingly diverse, with multiple devices and technologies spread over multiple locations while being interconnected with partners and customers. Assessing risk in environments like that is a challenge, but having reliable vulnerability information that is comprehensive in its scope, standardized and on time goes a long way towards overcoming it.
5. It is flexible
At the end of the day, the flexibility of a comprehensive vulnerability intelligence solution plays an important role in determining the role it plays in your IT security strategy. In some cases, a software vulnerability management solution is used by security providers to strengthen their services while organizations use it to feed their existing processes and infrastructure.
How vulnerability intelligence can impact different aspects of your IT security can be looked at from:
A patch management perspective
For example, in our Vulnerability Review 2014, we found that 79 % of the vulnerabilities disclosed in 2013 had a patch on the day of disclosure. This means that a large number of vulnerabilities from that year could have been fixed before they were more likely to be exploited. The fact is that vulnerability intelligence hasn’t been aggregated to patch management strategies and many organizations still rely on software vendors for information on those.
Software Vulnerability Management
The way to beat software vulnerabilities is to stay ahead of them. Addressing windows of risk is critical for reducing the odds of attacks and staying secure.
Bringing vulnerability intelligence to patch management has a proven track record for improving your organization’s IT security.
A vulnerability management perspective
Improving your organization’s security posture is about reducing the attack surface and risk. That means you need to put things into context. Here, vulnerability intelligence provides one of the layers of information that helps determine the risk profile for systems and users. Software Vulnerability management can help you determine how to prioritize your efforts based on vulnerability intelligence, a predictive threat model and data classification, essentially supporting your decisions on remediation or mitigation.
A threat intelligence perspective
In the case of a threat management framework, vulnerability intelligence is the foundation over which more information can be collected to customize information that can be used across organizations in different areas of security. So when you use vulnerability intelligence with other security data, and when you integrate it with assessment and surveillance technologies, it equips your organization to identify, analyse and respond to advanced threats.