Editor’s Note: This is the fourth serialized blog based on our recently published Security Guide: 5 Steps to Get Ahead and Stay Ahead of Application Vulnerabilities. You can also download the entire guide here. In each section of this guide we cover Key Questions, Challenges faced by organizations, and how AppSOC addresses these challenges. 

Key Questions

• How can we keep up with all these vulnerabilities?
• There are alerts for hundreds of “Critical” issues. Which ones should we address first?
• Generic vulnerability scores don’t understand my business – how do I add context?
• I don’t like false positives, but I’m scared of missing something through false negatives. How do I keep these from getting lost in the noise?

Challenges

In the introduction we discussed the Funnel Challenge – how to whittle down thousands of vulnerability alerts into a manageable number that your team can stay on top of. A team of four security analysts can effectively follow-up on at most 100 critical issues in a day. Yet many teams receive thousands of alerts across multiple tools.

But you can’t throw darts, or blindly eliminate 95% of the noise. This must be done intelligently, or you risk missing real threats that can cripple your business. But practically, you must dramatically reduce the scope of what you chase, while making the best use of limited human resources.

‍The Limitations of CVSS

The Common Vulnerability Scoring System (CVSS) is used by most security tools, providing an open standard for scoring the severity of known vulnerabilities.

While this can be helpful to deprioritize vulnerabilities with Low and Medium scores, most organizations are still bombarded with far more High and Critical issues than they can manage. 

The problem is that CVSS only measures one component of risk – severity. Tools that rely only on CVSS scoring can miss the bigger picture. A more comprehensive view must include:

• Exploitability: has this vulnerability been weaponized in the field?
• Business Context: what’s important to your business in terms of assets, criticality, and network exposure.

At the intersection of these three elements is a dramatically smaller number of issues that must be prioritized.

Accurately Calculating Risk

To break this down further, here’s a foundational formula for calculating risk:

RISK = IMPACT x LIKELIHOOD

The Severity scores provided by CVSS only measure one aspect of Impact and miss Likelihood altogether.

Components of Impact

• CVSS Severity
• Asset Criticality: is this application business critical?
• Data Classification: does it process sensitive information?
• Network Exposure: is this internet facing, or an internal app?

Components of Likelihood

• EPSS Score: the Exploit Prediction Scoring System which factors in whether a vulnerability has been exploited in the field, or if it remains theoretical.
• CISA KEV: the Known Exploited Vulnerabilities list looks at all documented attacks and the vulnerabilities exploited.
• Other Sources: the OWASP Top 10, SANS Top 25, VulDB, and other reputable resources.

Best Practices for Accurate Prioritization

The most critical element of an ASPM system is prioritization, and must include:

• Comparing Severity, Exploitability, and Business Context: the small number of vulnerabilities that meet all these criteria should be prioritized for immediate action.
• Intelligent Risk Scoring: this must include all the factors of Impact on your business and likelihood that they will be exploited.
• Advanced Cumulative Scoring: recognizing high-volume vulnerabilities but keeping them from drowning out signals of other critical issues.

How AppSOC Delivers Advanced Prioritization

AppSOC has been recognized in the industry for providing the most advanced and accurate risk scoring to help analysts dramatically reduce noise and prioritize the most critical issues based on their business context.

The proprietary Contextual Risk Engine (Core) incorporates advanced risk modeling, and machine learning, factoring context from a wide range of sources to determine business-specific impact, and exploitability.

Noise Reduction Funnel

This clearly shows the bigger picture and AppSOC’s dramatic impact. Filtering raw findings, unique findings, and priorities from other tools, can eliminate 50-60% of the noise, but that’s still leaves far too many results – based largely on CVSS scores.

However, after filtering by CoRE, the number of truly critical issues can be lowered to less than 5% of the original.

Risk Heat Map

This chart compares overall Impact with Exploitability, to further refine findings and provide guidance. With one click on any cell on this chart, you can drill-down and analyze specific findings and begin the remediation process.

Transparency and Clarity

At any stage in the process, analysts can dig into specific security issue and immediately see all factors that went into risk scoring including the CVE description, owners, affected applications, microservices, and libraries.

Feedback and Tuning

All the factors measuring business context and desired thresholds can be adjusted and fine-tuned for your organization, and machine learning algorithms use feedback to continuously improve the process.

‍

‍

‍