How can CISOs and their cybersecurity teams incorporate Tenable’s Predictive Prioritization capability and the Vulnerability Priority Rating into their vulnerability management strategy? The Tenable team offers some best practices.
Throughout the course of 2019, the Tenable team has been talking about the benefits of Predictive Prioritization — the process of re-prioritizing vulnerabilities based on the probability they will be leveraged in an attack.
This new capability, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability.
Predictive Prioritization is now available in Tenable.sc and Tenable.io to help security teams focus on what matters most. But what are the best practices for implementing Predictive Prioritization and VPR?
During a recent webinar entitled “Putting Predictive Prioritization To Work,” Kevin Flynn, a senior product marketing manager at Tenable, joined senior security consultants Brian Baumgarten and John Vasquez to discuss Predictive Prioritization and VPR. They explored how CISOs, their security teams and even third-party vendors and service providers can incorporate these capabilities into their vulnerability management plans.
Setting Vulnerability Management KPIs
As with any good security project, one of the best ways to start is by establishing reasonable Key Performance Indicators (KPIs) to guide the security team and create realistic goals. Tenable recommends these five KPIs to get you started:
- Scan frequency: How often does your enterprise conduct assessments?
- Scan intensity: How many different scans are launched on a given scan day?
- Asset authentication: How does your enterprise measure assessment depth?
- Asset coverage: What proportion of the licensed assets are scanned in a 90-day period?
- Vulnerability coverage: What proportion of total vulnerability plugins are used in a 90-day period?
Once these KPIs are established, here are three ways security teams can start applying Predictive Prioritization and VPR to their vulnerability management process.
- In the discovery phase, VPR can assist in classifying assets within the network by improving accuracy and helping to discover new IP addresses that have been added.
- When scanning, VPR can be automatically applied. As the security team scans the network more frequently, the threat intelligence improves because there’s more data to analyze in real-time.
- During the patching process, VPR helps security teams provide much-needed context to the IT professionals responsible for patching, improving their ability to prioritize and allocate resources based on real-world risk.
Frequent scanning is crucial. “The more you scan frequently, the more you are going to know of the current potential,” Vasquez said. For example, Vasquez said, when the WannaCry ransomware attacks started in 2017, the malware was released several months before the incidents began in earnest. Better scanning might have helped security professionals identify the potential to do harm and could have prompted more urgent patching.
Additionally, VPR scores can also be used to help structure service-level agreements (SLAs) with third-party service providers. For firms that outsource patching and remediation, VPR gives the service provider and client a way to prioritize and evaluate remediation efforts, improving outcomes and overall security posture.
Vulnerability Priority Rating: Practical Results
Flynn, Baumgarten and Vasquez shared two examples of how organizations can put VPR to use.
First, VPR can assist in prioritizing fixes and patches to systems that are internet-facing, where unpatched applications can be exploited using common rootkits. Using VPR in combination with Tenable’s Nessus Network Monitor, security teams can create a dynamic asset list using filters as well as certain key terms, such as “Adobe” or other software frequently targeted in attacks.
Second, if an attacker is able to penetrate the network through an internet-facing system in an attempt to escalate privileges and move laterally through the network, the VPR score can be used to identify which vulnerabilities might be exploited first. This enables teams to be more strategic about deploying patches to stop the attack.