Nobody would argue that vulnerability scanners are a negative addition to the cybersecurity landscape. These days, it’s much easier to catch vulnerabilities and be alerted in near-real time to their presence. But this has become a double-edged sword for vulnerability managers, who are now overloaded with hundreds, even thousands of vulnerability findings that all scream “CRITICAL!”
And when 80% of your vulnerabilities are critical/high, well, none of them are.
Teams can manually prioritize vulnerabilities, but the sheer volume that security practitioners face daily makes this not just tedious but even impossible.
There are two things security leaders need to do to help their teams use their time effectively: use context to prioritize which vulnerabilities matter, and then assign those vulnerabilities to the right person, in the right order.
Use Business Context to Prioritize Vulnerabilities That Matter
A locksmith can tell you that 50% of the locks in your home are faulty, but only you can determine which locks matter to you (the front door, your safe, etc.) vs. the lock on the storage shed in the backyard. Similarly, vulnerability scanners can identify more risks from code, workload, and servers and devices than ever before, but that’s all it can do. Scanners lack the business context to know which vulnerabilities are related to critical assets, core projects, customer data, or being publicly exploitable.
You need to see vulnerabilities in the context of real business impact to prioritize which ones really matter. The best practice is to (1) identify the high-risk vulnerabilities, then determine if they are (2) exploitable by bad actors, and (3) may have a real impact on the business.
JupiterOne CEO and founder, Erkang Zheng, explains why vulnerability context matters when working across the business: “Security teams go into these sprint planning meetings with the engineering teams, and they say, ‘You need to spend 10% of your time next sprint fixing these vulnerabilities.’ But in most cases, it is difficult for the security team to make that case. Because the security team does not have the right context to bring to the business or the engineering teams to say, ‘This is why this finding matters. This is why you should spend your time on this.’ Everyone wins if security teams can bring the business context to that discussion.”
Only you can determine what matters most to your business, but the important thing is that you specifically define which assets are critical, and which alerts should be high priority.
Some examples of highest priority vulnerabilities may be:
- Vulnerable code that is actually in production
- Vulnerabilities that are related to or could expose customer data
- Vulnerable code that’s been deployed to an internet-facing workload
- Findings that affect critical assets
The second part of each example is the context that is typically missing from these discussions.
- The vulnerable code needs to be patched ASAP because it is already in production.
- Vulnerabilities that could expose customer data are urgent priorities because of the impact of exposing said data.
- Vulnerable code that’s in an internet-facing workload may be easier to exploit because it is internet-facing.
These criteria give you and your team clarity, but the additional context also bridges the gap between the security and engineering teams so you can fix what matters most.
The good news is, you can automate this prioritization process for the future to focus on fixing what’s broken rather than deciding what matters. More on that shortly.
Assign Vulnerabilities to the Right Person, in the Right Order
In addition to making a clear case for why a vulnerability matters, you can save time and create alignment between your security and engineering teams by assigning patches to the right people, in the right order.
Who is already working on the project? Who wrote the vulnerable code in the first place? Which pull request introduced the vulnerability? You can ask these questions in a sprint meeting, but if you’re using JupiterOne, you can also automatically see these details associated with each finding.
How to Automate This Prioritization Process
Alright, you’ve defined which vulnerabilities are the riskiest to your business, now what? Going through this process in your head every time you look through a list of alerts is inefficient and exhausting.
Instead, translate those criteria into automated, prioritized alerts with JupiterOne. Let’s walk through an example.
Let’s search in JupiterOne for…
What high public vulnerabilities are in unencrypted sensitive data?
FIND Finding WITH severity = 'high'
THAT HAS CodeRepo
THAT DEFINES Function WITH tag.Production = true
(THAT protects Firewall WITH ingressRules~= '0.0.0.0/0' OR egressRules~= '0.0.0.0/0')?
THAT ASSIGNED AccessRole
THAT ASSIGNED AccessPolicy
THAT ALLOWS AS a Datastore WITH classification != 'public' AND encrypted != true
WHERE a.actions ~= 'Get'
return tree
We can turn this search into an ongoing alert by clicking the bell icon and configuring an alert that monitors this query on an ongoing basis.
Is this something you know will always require remediation? You can configure a ticket to be created every time an internet-facing code vulnerability is discovered.
JupiterOne: Context + Alerts = Clear Priorities
Ready to see the context surrounding your assets and alerts? JupiterOne offers free and paid versions of our cyber asset attack surface management platform, and we’d love to show you around. For a demo or quick set up help, schedule a call with us.
