Keeping Up with the Vulnerability Conveyor Belt

More Effective Prioritization with Contextual Risk Scoring

William Leichter

March 29, 2024

Keeping Up with the Vulnerability Conveyor Belt

Subscribe to AppSoc

Get the best, coolest, and latest in design and code delivered to your inbox each week.

For many security analysts, the relentless onslaught of vulnerabilities, threats, misconfigurations, and other issues can seem overwhelming. Just when you feel like you’ve gained some control, the next day starts with a new batch of “critical” issues.

Many people have used the analogy of the old “Whack-a-Mole” arcade game – hit a mole with a hammer in one place, and it pops up immediately somewhere else. But the never-ending vulnerability chase is more like the classic “I Love Lucy” episode in the chocolate factory. Grabbing the chocolate pieces seems easy at first, but as the conveyor belt speeds up it becomes impossible and comical.

Unfortunately, it’s not as funny when your security team is overwhelmed with the relentless “conveyor belt” of vulnerabilities that come from all your security tools. 

The vulnerability funnel 

To illustrate the scope of this challenge, let’s look at the funnel chart that is part of the AppSOC dashboard. At the top are the raw vulnerability and security data coming from multiple tools. For a typical medium-sized security team, this can be thousands of findings across dozens of tools and is unmanageable without significant filtering.

The first step is to get rid of the duplicates. This can be a pain to do manually, with similar findings in varying formats, or multiple issues caused by the same underlying threats. But with tools like AppSOC, good deduplication can eliminate about 5-20% of the noise. That’s a good first step.

Next, your code scanners and other security tools should, if they are any good, provide some level of prioritization. This is typically done by looking up the CVSS score of each identified vulnerability from the National Vulnerability Database (NVD). However, CVSS scores are limited in scope and only measures severity, without judging exploitability, likelihood, or factors specific to your business. But, if done well, this step can filter out about 40-50% of the noise. Another step in the right direction.

Vulnerability funnel example:

  • 7,141 vulnerabilities reported by multiple scanners
  • 6,638 left after deduplication (7% reduction)
  • 2,702 prioritized as “critical” by scanning tools (62% total reduction)

This step is also helpful, but the results are still not manageable. If you do the simple math – say you have 5 full-time security analysts, and each “critical” vulnerability requires about 20 minutes to triage, assess, research, determine remediation steps, and alert others. This gives you have the capacity to properly address about 120 vulnerabilities per day, with little time for other activities.

Calculating capacity: 

  • 5 full-time security analysts
  • 20 min to analyze each critical vulnerability
  • Daily analysis capacity = 120 vulnerabilities
  • Only 4.4% of “critical” vulnerabilities are addressed

While we’ve reduced the original total by roughly 60%, the remaining 40% is still an unmanageable number that would require over 100 FTEs just for first-level analysis!

40% of impossible still equals impossible. Your capacity to respond only covers less than 5% of the issues delivered by your security tools. 

Separating reported “critical” issues from real risk

The reality is that hiring 100+ analysts is a non-starter and would be a colossal waste of resources. You team probably is large enough to follow-up on the truly important issues, but over 90% of the signals we get from various tools, are redundant, false alerts, known non-critical issues, or simply not relevant to your specific business. 

Our default fallback is to dump lots of security data into a spreadsheet and apply brute force to attempt to reduce the noise. Or we ask our analysts to use their intuition - to essentially guess what merits their limited bandwidth. None of these inspire confidence that your security posture is robust or adequate.

Going beyond CVSS scores to calculate real risk

We need to make prioritization decisions based on the real risk to your business – not just generic severity. As we mentioned above, CVSS scores only cover a small component of overall risk. 

AppSOC takes a more complete and nuanced view to calculate real risk and pinpoint the most critical issues. Let’s consider a foundational formula for calculating risk:

RISK = IMPACT x LIKELIHOOD

The severity scores provided by CVSS only measure one aspect of impact and miss likelihood altogether. A more complete view includes:

Components of Impact

  • CVSS severity
  • Asset criticality: is this application business critical?
  • Data classification: does it process sensitive information?
  • Network exposure: is this internet facing, or an internal app?

Components of Likelihood

  • EPSS Score: the Exploit Prediction Scoring System which factors in whether a vulnerability has been exploited in the field, or if it remains untested or theoretical.
  • CISA KEV: Known Exploited Vulnerabilities list looks at all documented attacks and the vulnerabilities exploited.
  • Other Sources: these include the OWASP Top 10, SANS Top 25, VulDB, and other reputable sources.

A good way to visualize the power of a more comprehensive, risk-based approach is with a Venn diagram, with three major factors:

  • Severity: base CVSS scores of vulnerabilities through the NVD or other sources 
  • Exploitability: has this vulnerability been successfully weaponized in the field
  • Business context: what’s important to your business in terms of assets, criticality, and network exposure.

At the intersection of these three elements is a dramatically smaller number of issues that must be prioritized.

The AppSOC UI makes it easy to clearly identify the riskiest vulnerabilities through our unique Heat Map. This two-axis chart compares overall Impact with Exploitability, to further refine findings and give analysts guidance. With one click on any cell on this chart, you can immediately drill-down and analyze specific findings and begin the remediation process. 

For more information about this process please see our demo video that shows the AppSOC Contextual Risk Scoring process in action.