Understanding vulnerability risk - a best practice guide

Written by:? Nino Klimiashvili Customer Success Manager at? Vulcan Cyber, a Tenable Company

In times like these, budgeting is one of the toughest aspects of any organization's operation. One of the first expenses that get trimmed is the security budget.

This unfortunate reality is leaving many companies vulnerable to malicious actors who seek to exploit these newfound vulnerabilities.

Vulcan Cyber industry-leading customer success team has decided to work with our dedicated customers, creating a best practice guide based on their experience of success, enabling other customers to replicate these best practices to quickly realize ROI.

Introducing customize risk scores

Vulcan Cyber recognizes the need for some organizations to determine a unique risk score that is dynamic, personalized, and customizable, incorporating different contextual risk attributes to produce a dynamic score for each vulnerability in the system and for vulnerabilities in aggregate.

Our success is determined by the ability to identify several critical (prioritized) vulnerabilities that can actually be addressed in a reasonable timeframe and meet the organization's SLAs. This number, of course, depends on various factors within the company,?yet at Vulcan Cyber, we instruct our customers to obtain a level of critical vulnerabilities between 1-2% out of total vulnerabilities.

We support the customization of risk scoring through:

• Defining unique risk parameters by setting weights for the different components of the Vulcan Security Posture Rating algorithm.
• The customization of your model with a Python script. Now you can take risk flexibility even further by using a technical score other than CVSS, by using a combination of different threat feeds, and by applying threat-related logic that fits the organization’s need to filter critical vulnerabilities. Vulcan Cyber risk score customization also uses asset attributes such as OS and OS version, IP subnets, software inventory, etc. to fine-tune asset context in the risk calculation.

Best practice 1 – Use different KPIs from the scanners

• Various scanners provide different risk scores that estimate a single vulnerability’s severity in addition to the CVSS score:
• Tenable VPR (Vulnerability Priority Rating) takes into account the threat environmental aspect, such as the exploit code of a vulnerability becoming available or having escalated maturity.
• Qualys Vulnerability Score (QVS) is a Qualys score for a vulnerability based on multiple factors associated with the CVE such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.
• Vulcan Cyber accommodates various scores from different scanners; in case you were already utilizing them before purchasing Vulcan, or in case you would like to add different threat aspects to the risk calculation in Vulcan.

1. Combine different risk parameters from a single scanner to create a unique risk score in?Vulcan Cyber:
2. Use Tenable VPR along with the CVSS score. Since VPR reflects the current threat landscape it can be leveraged with the CVSS score and account for a more complete view of severity.
3. Note that VPR with a higher value represents a higher likelihood of exploitation. Consider decreasing the risk of a CVE having a CVSS of 9.8, but a VPR of 2, and vice versa.
4. Add specific asset attribute(s) to the calculation.
5. Decide how the score should be mapped according to the VPR: CVSS combination.
6. Define the risk score calculation for other vulnerability sources if utilized.

** This practice is true for Qualys QVS, CrowdStrike?Exprt.AI, BitSight Rating score, and many more. You can decide to solely use a different risk parameter than CVSS, or combine it with Vulcan Cyber risk calculation logic.

Best practice 2 – Use the Vulcan Cyber threat intelligent sources

• The Vulcan Cyber platform relies on threat intelligence data collected by the Vulcan Cyber Voyager18 research team to offer the most reliable risk rating for a given vulnerability. The exploitable information is gathered from large exploits databases, while the exploited in the wild (weaponized) and malware threats are sourced from CISA and others.
• In order to stay ahead of the latest exploits, the Vulcan Cyber threat intelligence database is updated daily with vulnerability scores adjusted accordingly; Vulcan correlates this data using CVE and CWE, matching against the platform vulnerability database.

1. Utilize Vulcan Cyber threat intelligence data to determine the severity of a vulnerability.
2. Add specific asset attribute(s) to the calculation.
3. Determine which vulnerability/asset source(s) the calculation should be applied to.
4. Define the risk score calculation for other vulnerability sources in the platform.

Example:

Vulnerabilities with CVE:

Critical where -

• Threats = RCE AND Remote AND?Exploitable
• Asset tag = External facing

High where -?Threats = RCE AND Remote AND Exploitable

Medium where -?Threats = Exploitable

Low where -?All other vulnerabilities

Vulnerabilities without CVE:

 "CVSS": 0.6,
  "Threats": 0.0,
  "Tags": 0.4        

Security Posture Rating (SPR), is the main KPI driving the vulnerability management (VM) program through the Vulcan platform. The SPR value (in %) is the percentage of scanned assets complying with a?defined threshold?for maximum risk. All the assets having risk below this threshold are risk complaint assets, so the goal is to have the SPR as high as possible.

Want to learn more?

Our team put together this guide of 5 different best practice methods for you to explore. Read all about it here >>