Identifying and remediating vulnerabilities is a fundamental step toward creating a secure IT environment. Building a successful vulnerability management program, however, requires more than just technology. It also requires an understanding of what constitutes risks, threats, and vulnerabilities, and how best to empower the organization to address all three.
Let’s start at the beginning.
What Are the Differences Between a Risk, a Threat and a Vulnerability?
Words matter. When security professionals call something a threat, it means it’s something that can exploit a vulnerability. A vulnerability is any weakness in a host or system, such as a bug or misconfiguration to compromise or damage an IT resource. Risk is what happens when a threat exploits a vulnerability. It’s the damage that could be caused by the open vulnerability being exploited by a threat. A strong vulnerability management program uses threat intelligence and knowledge of IT and business operations to prioritize risks and address vulnerabilities as quickly as possible.
What Are the Components of a CVE?
Read a report about a vulnerability, and you will likely see an identifier starting with the letters CVE. CVE stands for Common Vulnerabilities and Exposures and is a list of cybersecurity vulnerabilities maintained by the MITRE Corporation. Every CVE entry contains an identification number, description and one or more related public references or advisories. This vulnerability can be in either hardware or software.
What Are the Components of a CWE?
CWE is an abbreviation for Common Weakness Enumeration. A CWE is a list of common types of software and hardware weakness that may exist in code, implementation or architectures that can leave IT resources vulnerable to attack. CWEs are distinct from CVEs in that they represent a class of issues as opposed to a particular vulnerability. For example, take the notorious case of Zerologon, which impacts Microsoft Active Directory. The CVE for this vulnerability is CVE-2020-1472. But the Common Weakness Enumeration identifier for the vulnerability is CWE-269, which categorizes this type of flaw as an “improper privilege management” issue.
Build a Vulnerability Management Program and Prioritize Threats
Keeping pace with the ever-growing number of CVEs and CWEs takes visibility — both into the threat landscape and your IT environment. As always, the right tools and the right plan make all the difference. Establishing a vulnerability management program requires upfront work, starting with assessing the current processes, tools and resources in use. Decisions have to be made about the program’s scope, what tools or software are needed, and what needs to be included in any service level agreements.
In legacy deployments, vulnerability management tools typically follow one of two approaches: network-based scanning or agent-based scanning. Network-based scanners have the inherent limitations of requiring that endpoints be connected to the network to be scanned. Legacy agent-based tools are often bulky and can slow or even crash a system during scans. However, modern vulnerability management tools such as CrowdStrike’s Falcon Spotlight use the cloud and lightweight agent architecture to run continuously and in real-time.
Once an assessment has been performed, the prioritization process can begin. A variety of considerations enter into play when ranking which issues need to be resolved first, for example:
- the age of a vulnerability
- the potential damage the vulnerability could do if exploited
- the prevalence of your vulnerability solution in your organization
One of the most frequently cited pieces of the prioritization puzzle is the Common Vulnerability Scoring System (CVSS). CVSS scores range from 0 to 10 and factor in its effects and how easy it is to exploit. However, they do not, on their own, provide all of the context needed to prioritize issues. This is partly because the score is not typically revisited after it is given. As a result, it does not fully represent the changing risk that a vulnerability can pose. For example, a particular CVE may not be getting targeted as much as another, making it less critical to address than one with a lower CVSS score targeted by an exploit kit. Others may not even have an exploit available.
With so many assets needing to be assessed and continuously managed and so many patches needing to be deployed, vulnerability management solutions need to reduce alert fatigue and help with the prioritization process. With CrowdStrike’s Falcon Spotlight solution, security professionals can rely on the Spotlight dashboard to categorize CVEs by their CVSS base score. Additionally, Spotlight allows users to add a filter called “Exploit Status” so that a vulnerability with an existing exploit can be quickly identified.
Cybercrime never sleeps. Your security strategy shouldn’t either. Reducing risk requires closing any pathways threat actors can take to compromise your network. With the right approach to vulnerability management, you can identify the most pressing security weaknesses in your environment and address them before attackers arrive.