The Exploit Prediction Scoring System (EPSS) is a crucial tool for organisations, guiding them in prioritising vulnerabilities based on the likelihood of exploitation. However, as cyber threats evolve and organisational priorities shift, a static approach to EPSS thresholds may not suffice. Adapting your EPSS thresholds to match organisational risk tolerance, the capabilities of your cybersecurity team, and the changing threat landscape is essential for maintaining an effective defence.
As we conclude our series on enhancing cybersecurity posture through strategic vulnerability management, it’s crucial to address an often-overlooked aspect: the inevitability of residual risk. Despite the best efforts in identifying, prioritising, and remediating vulnerabilities, no cybersecurity program can eliminate all risks. This final post explores the concept of residual risk, outlining strategies for managing it and setting realistic expectations for vulnerability management programs.
Security professionals, armed with detailed technical knowledge about vulnerabilities and their potential exploits, face the challenge of conveying this information to risk owners and stakeholders in a manner that resonates with business priorities. Building upon our discussions on leveraging diverse sources for a comprehensive understanding of vulnerabilities, this article focuses on effective strategies for translating technical jargon into the language of business impact, facilitating informed decision-making and prioritisation of remediation efforts.
In the intricate web of cybersecurity, accurate and timely information on vulnerabilities is paramount for effective defence. The National Institute of Standards and Technology’s National Vulnerability Database (NIST NVD) serves as a cornerstone in this landscape, offering a comprehensive catalogue of security vulnerabilities. However, as we’ve explored the evolving dynamics of CVE exploitability and the predictive approaches to vulnerability management, it’s clear that relying solely on NIST NVD may not suffice. This article underscores the importance of diversifying vulnerability information sources to gain a more accurate and contextual understanding of vulnerabilities.
Vulnerabilities catalogued under the Common Vulnerabilities and Exposures (CVE) system can see their risk profiles change dramatically as new exploits are developed, or as additional research brings to light easier paths to exploitation. This fluidity underscores the critical need for continuous monitoring of CVE exploitability changes. Building upon our exploration of predictive vulnerability management and the strategic use of tools like EPSS, this article highlights the pivotal role of ongoing exploitability monitoring in refining and adjusting remediation priorities.
While traditional vulnerability management practices have focused on reacting to known threats, the introduction of predictive models like the Exploit Prediction Scoring System (EPSS) represents a paradigm shift towards proactive security. Following our discussion on executing targeted remediation plans using the KEV list, this article delves into the strategic incorporation of EPSS scores into the vulnerability management process, enabling organizations to foresee and mitigate threats before they are exploited.
Understanding and prioritising vulnerabilities is only half the battle; the crucial next step is the execution of a targeted remediation plan. Building on the foundational concepts discussed in previous articles—ranging from establishing a risk management framework to integrating KEV (Known Exploited Vulnerabilities) and EPSS scores for prioritisation—this article zeroes in on translating KEV analysis into effective action.
The emphasis on KEV-listed vulnerabilities is pivotal. These are the vulnerabilities that have been identified as being actively exploited in the wild, posing an immediate risk to organisations worldwide. Crafting a remediation plan that addresses these vulnerabilities is not merely a best practice but a necessity for safeguarding digital assets against the most pressing threats.
The prioritisation of vulnerabilities for remediation is a critical challenge. Traditional reliance on the Common Vulnerability Scoring System (CVSS) has been a standard practice for many organisations. However, as the threat environment and vulnerability identification process evolves, the limitations of CVSS scores in accurately reflecting the real-world risk of vulnerabilities have become increasingly apparent. Building upon our discussions on establishing a robust risk management framework, identifying your digital crown jewels, and defining the roles of risk owners and remediation teams, this article explores the imperative of rethinking vulnerability prioritisation. We delve into the integration of Known Exploited Vulnerabilities (KEV) and Exploit Prediction Scoring System (EPSS) scores into the vulnerability management process as a more dynamic approach to triage, prioritisation and remediation of risks.
The identification and categorisation of assets serve as foundational steps towards safeguarding an organisation’s digital environment. However, the effectiveness of these steps is significantly amplified when coupled with the clear assignment of risk owners and the formation of dedicated remediation teams. This structure not only clarifies responsibilities but also streamlines the process of addressing vulnerabilities. As we delve deeper into the components of an effective, risk-focused vulnerability management strategy, understanding the pivotal roles of risk owners and remediation teams becomes crucial.
Understanding Risk Ownership
Risk ownership is a critical concept in cybersecurity management, assigning the responsibility for managing the risk associated with a particular asset or set of assets to a specific individual or department within the organisation. This person or team, known as the risk owner, is tasked with making informed decisions about how to handle identified risks—whether through mitigation, acceptance, transfer, or avoidance. The assignment of risk owners ensures that decision-making authority is clear, facilitating swift and effective responses to emerging threats.
The Importance of Risk Owners
- Accountability: Risk owners provide a point of accountability within the organisation for specific assets. This clarity is essential for maintaining a high level of security posture, as it ensures someone is always responsible for the risk management of each asset.
- Informed Decision-Making: Risk owners are typically chosen based on their expertise and understanding of the asset. This ensures that decisions regarding risk management are made by those with the most knowledge about the asset’s importance and the implications of potential threats.
- Effective Communication: Having a designated risk owner improves communication channels within the organisation. They serve as the primary contact for issues related to their assets, streamlining the process of risk management and remediation.
Forming Remediation Teams
While risk owners oversee the decision-making process regarding risk management, remediation teams are the operational backbone that implements these decisions. Comprised of technical experts, these teams are responsible for carrying out the actions required to mitigate identified risks, such as patching vulnerabilities or implementing security controls.
Key Aspects of Remediation Teams
- Expertise and Specialisation: Remediation teams bring together individuals with specific skills and expertise relevant to the assets they are tasked with securing. This specialisation ensures that remediation efforts are effective and aligned with best practices.
- Cross-functional Collaboration: Often, remediation requires input and action from various departments within an organisation (e.g., IT, development, operations). Remediation teams facilitate this cross-functional collaboration, ensuring that all relevant stakeholders are involved in securing the assets.
- Efficiency in Remediation: By having dedicated teams focused on the remediation process, organisations can respond more quickly to vulnerabilities, reducing the window of exposure and the potential impact of cyber threats.
Assigning Risk Owners and Forming Remediation Teams
The process of assigning risk owners and forming remediation teams should be integral to an organisation’s vulnerability management strategy. This involves:
- Identifying Key Assets: Leveraging the asset categorisation process to determine which assets require dedicated risk owners and remediation teams based on their criticality and exposure level.
- Selecting Risk Owners: Appointing individuals or departments as risk owners based on their knowledge of the asset and its operational context within the organisation.
- Establishing Remediation Teams: Forming teams of technical experts, ensuring they have the necessary tools and authority to implement remediation measures effectively.
- Defining Roles and Responsibilities: Clearly outlining the roles and responsibilities of both risk owners and remediation teams, ensuring there is no ambiguity in their duties.
- Fostering Collaboration: Encouraging open communication and collaboration between risk owners and remediation teams to ensure a cohesive approach to vulnerability management.
In Summary….
The assignment of risk owners and the formation of remediation teams are crucial steps in enhancing an organisation’s cybersecurity framework. By clearly defining responsibilities and leveraging the expertise of specialised teams, organisations can ensure a proactive and efficient response to the ever-evolving threat landscape. As we move forward in this series, we will explore how integrating these roles within a comprehensive vulnerability management strategy can not only mitigate risks but also contribute to the overall resilience of the organisation. In doing so, we underscore the importance of a structured approach to cybersecurity, where accountability, expertise, and collaboration converge to safeguard the digital assets at the heart of modern enterprises.
Recognising which assets are most critical to your organisation’s operation—the digital crown jewels—is paramount. Following the establishment of a robust risk management framework, as discussed in our previous blog, the next step in enhancing your cybersecurity posture is effectively categorising your assets. This process is vital for prioritising remediation efforts and allocating resources efficiently, ensuring that the most significant threats to your most valuable assets are addressed promptly.
Why Asset Categorisation Matters
Asset categorisation is more than just an inventory exercise; it’s a strategic approach that enables organisations to understand the potential impact of vulnerabilities. By categorising assets based on their exposure level—Internet-facing, Internet-accessible, and internal—you create a hierarchy of risk that informs your vulnerability management strategy. This hierarchy helps in distinguishing between assets that, if compromised, could directly impact your organisation’s ability to operate versus those with a minimal operational impact.
1. Identifying Your Assets
The first step in asset categorisation is identifying what assets you have. This process involves creating an inventory of every piece of hardware and software within your organisation. While this may seem daunting, leveraging automated tools and integrating asset discovery with your existing IT management solutions can streamline the process. Remember, an asset inventory is not a one-time task but a continuous process, as the corporate environment is always changing.
2. Categorising Assets by Exposure Level
Once you have identified your assets, the next step is categorising them based on their exposure level:
- Internet-facing Assets: These are directly accessible from the Internet and, as such, are at a higher risk of being targeted by external threats. Examples include web servers and email systems.
- Internet-accessible Assets: While not directly exposed to the Internet, these assets can be accessed through various means such as VPNs, proxies, and firewalls. They include internal web applications and databases that can be accessed from outside the network.
- Internal Assets: These assets are not intended to be accessible from the Internet and are typically used within the internal network. They include file servers, employee workstations, and internal-only applications.
3. Prioritising Efforts Based on Asset Criticality
With your assets categorised, the next step is to prioritise your vulnerability management efforts based on asset criticality. This involves assessing which assets are essential to your organisation’s daily operations and which, if compromised, could lead to significant disruptions or breaches. This prioritisation should align with your organisation’s risk management framework, focusing on protecting your digital crown jewels first and foremost.
4. Implementing a Dynamic Categorisation Approach
Asset categorisation is not a set-and-forget process. It requires a dynamic approach that accounts for the ever-changing digital landscape. Regular reviews and updates to your asset categorisation ensure that new assets are correctly classified and that changes in the business environment are reflected in your prioritisation of vulnerability management efforts.
5. Integrating Asset Categorisation into Your Vulnerability Management Program
Integrating asset categorisation into your vulnerability management program involves aligning your remediation efforts with the criticality of each asset. This means prioritising patches and security measures for Internet-facing and critical internal assets, while also considering the potential pathways attackers might use to access less critical assets.