Why it is important to know the context
To improve vulnerability remediation strategies, it is not enough to know the impact of a vulnerability on business systems, but also to determine the likelihood that it will be exploited.
Only in this way is it possible to prioritize vulnerability management in a consistent manner: the traditional approach, which operates in a massive manner, would risk prioritizing the existing vulnerabilities that do not represent an immediate danger to the environment at the expense of others, far more dangerous ones.
Indeed, the threat evolution environment is changing rapidly: how many lesser-known vulnerabilities have suddenly become the target of exploits, even as a result of the weaponization of politically motivated hacker groups?
Take CVE-2017-0144, for example. This vulnerability is associated with ransomware and it is part of WannaCry, which infected over 200 thousand devices in 100 countries worldwide in 2017. It ranks in the CWE Top 40 and the OWASP (Open Web Application Security Project) Top10 with a base score of High 8.1. Its high profile and exploit threat would require reclassification to Critical 10 for immediate action.
A risk-based approach would increase the precision of remediation efforts: gathering information and assessing the active risk associated with the vulnerability would enable proper prioritization.
The Vulnerability Risk Rating
We have said that intelligence and prioritization are key to staying one step ahead and keeping risk at a manageable level for the organization.
But we need effective assessment indicators that can fill the gaps in "official" databases and measure risk proactively and dynamically in real time.
To provide additional context in calculating risk, we rely on VRR (Vulnerability Risk Rating), a proprietary algorithm from our partner Ivanti that accurately determines the probability of risk.
In the image alongside, you can see the difference in vulnerability detection between CVSS v3 and VRR: there are obvious inconsistencies in the numbers of critical and high vulnerabilities that could lead you to overlook real threats in protecting your environments.