Preventing cyber breaches by mastering vulnerability prioritization

Padlock against circuit board/cybersecurity background
(Image credit: Future)

Today every click, transaction, and digital interaction opens a new door for cyber criminals. Companies are increasingly digitizing their operations, which means a significant expansion of their attack surfaces. One example is the surge in vulnerabilities, with 26,447 disclosed last year alone.

As the total number of common vulnerabilities and exposures (CVEs) is projected to rise by 25% in 2024, security teams will find themselves in constant firefighting mode, struggling to manage an overwhelming volume of tickets. But can they realistically keep up with this increase? The constant scrambling to address urgent issues makes it near impossible to prioritize their responses effectively.

With studies indicating that organizations can only remediate between 5% to 20% of vulnerabilities per month. the businesses need an aggregated and contextualized view across all of their security controls to prioritize vulnerabilities. Yet gaining this view is a data science challenge that many security teams are unable to solve.

Jonathan Gill

CEO of Panaseer.

Barriers to effective vulnerability prioritization

To gain a deeper understanding of their risk management programs, many businesses have adopted standard frameworks like CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System). This approach allows security teams to rank vulnerabilities based on their potential impact and the likelihood of being exploited. But while the principle of prioritization for security teams might seem straightforward, there are several factors that complicate it.

With IT environments constantly evolving, new vulnerabilities pop up all the time and sometimes slip through without being appropriately prioritized. IT is becoming more democratized and spread out, and different departments often roll out their own IT assets without fully understanding the associated security responsibilities – which can let in dangerous “unknown unknowns” through a backdoor. The same is true of the rapidly evolving threat landscape, with emerging attack techniques continually “moving the goalposts”.

On top of this, the cybersecurity skills gap also grew by 12.6% last year, with 4 million additional workers needed to fill the void. This leaves teams stretched thin trying to handle the flood of new vulnerabilities every day. In fact, today 46% of security teams’ time is spent on collecting and reporting security data. That's why it's so important to focus on fixing the high-risk vulnerabilities first, making sure teams use our resources where they count the most.

Critical context considerations

To improve vulnerability prioritization, it's important to aggregate views across multiple controls with business context. This helps with better prioritization, accountability, and teamwork. Businesses should keep in mind:

• Holistic security context: Vulnerabilities should not be viewed in isolation. By incorporating a broader security context from across the business, security teams can better prioritize their actions. For example, if a vulnerability exists, the next step might not be to apply a patch but to add the server to the System Center Configuration Manager (SCCM). Vulnerabilities also include configuration issues – like default passwords and weak certificates. With a comprehensive view of a business’s security controls, these issues can be detected automatically, allowing the root cause to be addressed and prevent the same problem happening again.

• Integrated security tools: Each security tool provides a piece of the overall security posture, helping get a view of compound risks and high-risk combinations. Yet not all tools are deployed ubiquitously, so they only tell their side of the story. Only by tapping into data from every security tool, can this single source of truth give all stakeholders a clear view of the data journey and ensure it's reliable. For example, prioritization might differ if the vulnerability is on a server with admin privileges not in the vault, particularly if several users with those local admin privileges were missing EDR – and failed every phishing test.

• Contextualizing big problems: Understanding the broader context helps break down large problems. First, security teams need to assess the criticality of the vulnerability, whether it’s patchable, and if it’s being exploited (for example using CISA’s Known Exploitable Vulnerabilities catalog). Second, they should prioritize based on business and technical context - whether it affects high-value data or an important business service, and whether it’s internally or externally facing. For instance, if a cleaner's phone is compromised, it may not significantly impact daily operations. But, if a CEO’s computer is breached, it could lead to a major security incident.

• Clear accountability: Establishing clear paths to accountability is key. Often responsibility for applying controls and fixes lies outside of security – having the ability to assign specific tasks to individuals helps to reinforce the need for collective action. This involves assigning clear ownership and defined roles for all business infrastructure and applications. To drive accountability, businesses need regularly updated asset inventories, control mechanisms, and a comprehensive security knowledge base. This single source of truth provides a real-time snapshot of security policy adherence, highlighting strengths and areas needing attention.

• Changing regulatory questions: There is a shift in the questions asked by internal audits and external regulators, moving towards ensuring comprehensive asset scanning and demonstrable vulnerability patching. Questions like “How do you know every asset is being scanned?” and “How can you demonstrate vulnerabilities have been patched?” are becoming more common. Failure to meet regulations such as GDPR or SEC rulings can lead to significant fines, enforcement actions, and criminal charges – so data governance and risk assessment is key.

How to master vulnerability prioritization

To effectively prioritize remediation efforts, organizations need a comprehensive view that combines multiple controls with their business context. This big-picture perspective on the organization's security helps teams spot coverage gaps and allocate resources more strategically.

By using this integrated approach, organizations can streamline their vulnerability prioritization, making sure resources go to where they're needed most. It also improves accountability and boosts teamwork within security teams since everyone operates from a shared understanding. This not only strengthens overall security but also ensures that security efforts align with business goals.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

CEO of Panaseer.