Vulnerability Prioritization with Nessus Cloud
Note: Nessus Cloud is now a part of Tenable.io Vulnerability Management. To learn more about this application and its latest capabilities, visit the Tenable.io Vulnerability Management web page.
If you’re a security professional, vulnerability prioritization is likely something you deal with frequently. Few, if any organizations ever address 100% of discovered vulnerabilities, as new vulnerabilities come out every day and old vulnerabilities can hide out on unknown and shadow assets or simply never make it to the top of the patching priority list.
Vulnerabilities that don’t get addressed cause problems. In last year’s Data Breach Investigations Report (DBIR), Verizon noted that 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.
Addressing 100% of vulnerabilities 100% of the time is not an achievable goal for most organizations. But being able to prioritize those that pose the highest risk is something that most organizations should be able to accomplish using a solution like Nessus® Cloud. Here are a few tips for using Nessus Cloud to prioritize your vulnerabilities list.
Scoring vulnerabilities with CVSS
The industry standard for communicating the severity of vulnerabilities is the Common Vulnerability Scoring System, or CVSS. The CVSS uses an algorithm based on metrics in three different areas that approximate the ease and impact of exploiting a vulnerability. Our EMEA technical director, Gavin Millard gives a good explanation of the three CVSS scoring areas (base, temporal, environmental) in this on-demand webcast if you’d like to learn more about CVSS.
Addressing 100% of vulnerabilities 100% of the time is not an achievable goal for most organizations
As an industry standard, Nessus Cloud uses CVSS in multiple ways. First, when Nessus Cloud identifies a vulnerability as Critical, High, Medium, Low or Informational, it uses CVSS scores to assign those categories:
You can also use the Nessus Cloud Advanced Search capability to identify vulnerabilities with specific CVSS characteristics. For example, many organizations rely on CVSS Base Scores, the metrics that measure how easy it is to access a vulnerability. In Advanced Search, it’s easy to identify vulnerabilities cataloged on your network that have a CVSS Base Score of 7.5 or higher. This search would list all of the High severity vulnerabilities:
Additional search filters
CVSS provides a number you can associate with each vulnerability; but by using Advanced Search, there are a few other search filters that provide additional context from the mountain of vulnerabilities.
Tenable announced several of these advanced search filters for Nessus Cloud last year. One of my favorites is the In the News filter. Your CISO may have just read about a big new vulnerability, such as Heartbleed, Shellshock, or Ghost, that has caught the attention of the media. The In the News filter can identify these high profile vulnerabilities and therefore help your security team mitigate the newsworthy questions so that when asked, you can confidently state that you have taken care of the big vulnerability that’s making headlines.
Identifying vulnerabilities on specific assets - or not
Earlier this year, Asset Lists and Exclusions were introduced in Nessus Cloud. Asset Lists are a way to organize hosts into groups. For example, hosts that fall under the same compliance area could be placed into a list, such as all hosts that fall under PCI DSS. Asset Lists have several benefits. You can scan similar assets using the most appropriate scan policies and frequencies. Asset lists also make it easier to share vulnerability information with the appropriate business group, which can simplify the remediation process.
Assets Lists can also be useful if and when you need to scan specific assets at a specific time. For example, you might want to scan all your PCI assets immediately before an annual PCI audit.
On the other hand, Exclusions enable you to restrict the scanning of specific hosts based on a given schedule. If there is a situation where one or many hosts do not need to be included in a scan, you can omit them and simplify your vulnerability results.
While CVSS, Advanced Search Filters, Asset Lists, and Exclusions are all useful ways to prioritize vulnerabilities, sometimes you just need to see the big picture. To accomplish this, Nessus Cloud offers dashboards that provide a graphical representation of vulnerability trending data over time.
You can use the dashboards to quickly get an overall view of vulnerabilities in your environment as well as to identify if you are meeting goals and policies set forth by your organization. Let’s say your organization has a policy that it will not tolerate more than 25 critical vulnerabilities open at any time. In the example below, even though there are 19 critical vulnerabilities open, you know you’re within policy; so maybe you could mix some vulnerability remediation work with another important project instead of just focusing on remediation efforts.
This same dashboard helps you track how long vulnerabilities have been open. As I noted earlier, last year’s Verizon DBIR highlighted how often old vulnerabilities end up being the path attackers take to gain access to networks. The dashboard could help you identify critical vulnerabilities that could lead to actual breaches.
Starting with the dashboard, you can access an interactive list of all vulnerabilities that are more than 30 days old and easily drill down to details for a specific host exhibiting an old security hole.
Try Nessus Cloud
Nessus Cloud provides insight into the vulnerabilities on your network that should be given your immediate attention
If you aren’t already using Nessus Cloud and would like to try any of these vulnerability prioritization techniques, you can request a free Nessus Cloud evaluation. Try out the ideas from this article and see even more ways that Nessus Cloud provides insight into the vulnerabilities on your network that should be given your immediate attention.
Continue the vulnerability prioritization conversation on Tenable’s Discussion Forums at https://community.tenable.com/welcome, or on Twitter @TenableSecurity.
Thanks to Diane Garey for assisting with this blog.