Falcon Spotlight Is Changing the Game: Vulnerability Management With Ever-Adapting AI
October 12, 2021Khanh Tran Endpoint & Cloud Security Executive Viewpoint
This announcement is part of the Fal.Con 2021 CrowdStrike Cybersecurity Conference, Oct. 12-14. Register now for free to learn all about our other exciting new products and partnerships!
SecOps has a limited amount of time available each month to appropriately monitor for vulnerabilities that could weaken or impact their organization, and with the plethora of critically ranked vulnerabilities, it’s a daunting — if not impossible — task to give each vulnerability the time needed to mitigate and respond to protect their organization’s environment. Time is scarce and high-ranking vulnerabilities abound — so how can you run a tight ship, keeping all relevant patches updated and openings locked down?
Until recently, the best answer has been for SecOps staff to try their best. They did what they could with the vulnerability management solutions available and responded in the limited time frame they had. Staff had to rely on dashboards to help them manually determine which high-severity vulnerabilities would have the most detrimental impact to their organization. But the number of threats and adversaries has been exponentially increasing, with the number of vulnerabilities more than doubling year over year for the last five years.
Accordingly, the Common Vulnerability Scoring System, or CVSS (the industry-standard scoring for vulnerabilities) has been rating a growing influx of high-severity vulnerabilities, and SecOps staff are then compelled to work a mitigation or response plan for each of them — which they may not have the capacity or resources to do so at scale. This often results in either not patching or mitigating vulnerabilities that are truly risky to an organization’s security, or failing to de-prioritize vulnerabilities that pose a lesser risk.
While CVSS scores still have a place in the vulnerability management world, SecOps teams need something more dynamic and more intuitive, with the ability to prioritize the vulnerabilities that pose a real and immediate risk to their organization’s environments. CrowdStrike’s Falcon Spotlight™ team has recognized these very significant and immediate challenges that SecOps teams face around the world — that’s where CrowdStrike’s new ExPRT.AI solution comes in.
How It Works
Falcon Spotlight’s Expert Prediction Rating Artificial Intelligence (ExPRT.AI) model capitalizes on a wide variety of vulnerability and threat-based telemetry, including CrowdStrike’s own threat intelligence, to provide a dynamic, responsive, and regularly updated ExPRT Rating within Falcon Spotlight’s console. The ExPRT Rating provides SecOps with answers they require, offering them valuable insight into which vulnerabilities truly put their organization at risk and providing the visibility and ability to prioritize vulnerabilities that are truly critical to their organization’s environment.
This artificial intelligence model enables Spotlight customers to see a dramatic improvement in prioritizing CVEs. ExPRT.AI allows users to prioritize more than twice as many highly rated CVEs than when using CVSS. With ExPRT.AI, only a small percentage of CVEs are assigned critical and high ratings, while the rest receive lower ratings for later remediation.
CrowdStrike’s Data Science team developed this dynamic AI model to help staff focus their time on the highest-rated vulnerabilities. For example, if a team’s monthly remediation capacity is 10% of open vulnerabilities, ExPRT.AI would prioritize roughly 60% of eventually exploited vulnerabilities, compared to around 20% when relying only on CVSS scoring. The model more accurately prioritizes vulnerabilities, while dramatically reducing the workload staff would have to maintain to achieve the same results using just CVSS.
Falcon Spotlight’s ExPRT AI: A Powerful Vulnerability Prediction Model
Customers who take advantage of Falcon Spotlight will immediately see the value of the ExPRT.AI model, which predicts what vulnerabilities are relevant for your organization to prioritize rather than react to existing data. This is based on two important factors:
- The data: ExPRT.AI relies on an impressive database of threat and exploit intelligence. This data comes from a number of sources, including CrowdStrike’s own threat intelligence. It’s CrowdStrike’s dataset that makes ExPRT.AI possible. Other vendors’ solutions can apply data science to vulnerability prioritization, but they lack the data that CrowdStrike has across EDR, vulnerability management, intelligence and threat hunting services that can be applied to this problem.
- The model: This constantly adapting model uses historical and new data to predict the likelihood of vulnerability exploitation. The beauty of the ExPRT.AI model is that by using the inputs, the AI provides a probability adjustment, offering a dynamic score that changes over time and giving Falcon Spotlight customers the ability to proactively respond to vulnerabilities before they become an issue. And because ExPRT.AI is always learning — and not just reacting to the latest intelligence — it predicts what might happen ahead of time so patching teams can proactively address their risk.
ExPRT.AI allows SecOps the ability to focus on what truly matters while deprioritizing those vulnerabilities that pose little to no risk.
Continually Updated, Transparent ExPRT Rating
The output of ExPRT.AI is the ExPRT Rating. This type of rating is different from the industry-standard CVSS scoring method. CVSS provides a numerical score that reflects assessment of a particular vulnerability, and the National Vulnerability Database (NVD) adds a severity rating — and although this scoring is helpful, it has limitations. When situations change or other exploits are discovered, newly found data could change the assessed severity of the vulnerability. Since CVSS and NVD scores are static, the scoring is for one point in time, and IT staff are on their own to determine if subsequent factors change the risk assessment of a vulnerability.
ExPRT Rating, on the other hand, is dynamic and transparent (see figure below). An initial rating is provided, and it can then change in severity based on new data that occurs around that vulnerability. In addition, positive and negative indicators are displayed right below the rating, so SecOps has a clear view of the factors that led to the change.
CVSS base scoring is still shown in the Falcon Spotlight console, and ExPRT Rating adds the context and visibility staff require to ultimately streamline and simplify the vulnerability management lifecycle.
Strengthen Your SecOps Posture Immediately With Falcon Spotlight
If your organization’s SecOps team is not currently using Falcon Spotlight to conduct their vulnerability management and patching processes, then now is the time to get on board. With a cutting-edge AI model that can predict and transparently provide dynamic ratings around vulnerabilities, your SecOps team could dramatically improve your organization’s overall security posture. The tighter you keep your house locked and secure, the less likely your adversary will be able to break in.
For more information about Falcon Spotlight, contact your sales representative or visit the product webpage.
Watch this video on Falcon Spotlight™ vulnerability management to see how you can quickly monitor and prioritize vulnerabilities within the systems and applications in your organization.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
- Try Falcon Spotlight and use it to help you discover and manage vulnerabilities in your environments.
- See how CrowdStrike Falcon Complete™ managed detection and response (MDR) stops Microsoft exchange server zero-day exploits.
- Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Read about critical vulnerabilities your organization should prioritize in our monthly Patch Tuesday blog series.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.