How to prioritize vulnerabilities by real business impact

By

Nobody would argue that vulnerability scanners are a negative addition to the cybersecurity landscape. These days, it’s much easier to catch vulnerabilities and be alerted in near-real time to their presence. But this has become a double-edged sword for vulnerability managers, who are now overloaded with hundreds, even thousands of vulnerability findings that all scream “CRITICAL!”

And when 80% of your vulnerabilities are critical/high, well, none of them are.

Teams can manually prioritize vulnerabilities, but the sheer volume that security practitioners face  daily makes this not just tedious but even impossible.

There are two things security leaders need to do to  help their teams use their time effectively: use context to prioritize which vulnerabilities matter, and then assign those vulnerabilities to the right person, in the right order.

Use Business Context to Prioritize Vulnerabilities That Matter

A locksmith can tell you that 50% of the locks in your home are faulty, but only you can determine which locks matter to you (the front door, your safe, etc.) vs. the lock on the storage shed in the backyard. Similarly, vulnerability scanners can identify more risks from code, workload, and servers and devices than ever before, but that’s all it can do. Scanners lack the business context to know which vulnerabilities are related to critical assets, core projects, customer data, or being publicly exploitable.

You need to see vulnerabilities in the context of real business impact to prioritize which ones really matter. The best practice is to (1) identify the high-risk vulnerabilities, then determine if they are (2) exploitable by bad actors, and (3) may have a real impact on the business.

JupiterOne CEO and founder, Erkang Zheng, explains why vulnerability context matters when working across the business: “Security teams go into these sprint planning meetings with the engineering teams, and they say, ‘You need to spend 10% of your time next sprint fixing these vulnerabilities.’ But in most cases, it is difficult for the security team to make that case. Because the security team does not have the right context to bring to the business or the engineering teams to say, ‘This is why this finding matters. This is why you should spend your time on this.’ Everyone wins if security teams can bring the business context to that discussion.”

Only you can determine what matters most to your business, but the important thing is that you specifically define which assets are critical, and which alerts should be high priority.

Some examples of highest priority vulnerabilities may be:

The second part of each example is the context that is typically missing from these discussions.

  • The vulnerable code needs to be patched ASAP because it is already in production.
  • Vulnerabilities that could expose customer data are urgent priorities because of the impact of exposing said data.
  • Vulnerable code that’s in an internet-facing workload may be easier to exploit because it is internet-facing.

These criteria give you and your team clarity, but the additional context also bridges the gap between the security and engineering teams so you can fix what matters most.

The good news is, you can automate this prioritization process for the future to focus on fixing what’s broken rather than deciding what matters. More on that shortly.

Assign Vulnerabilities to the Right Person, in the Right Order

In addition to making a clear case for why a vulnerability matters, you can save time and create alignment between your security and engineering teams by assigning patches to the right people, in the right order.

Who is already working on the project? Who wrote the vulnerable code in the first place? Which pull request introduced the vulnerability? You can ask these questions in a sprint meeting, but if you’re using JupiterOne, you can also automatically see these details associated with each finding.

vulnmgmt

How to Automate This Prioritization Process

Alright, you’ve defined which vulnerabilities are the riskiest to your business, now what? Going through this process in your head every time you look through a list of alerts is inefficient and exhausting.

Instead, translate those criteria into automated, prioritized alerts with JupiterOne. Let’s walk through an example.

Let’s search in JupiterOne for…

What high public vulnerabilities are in unencrypted sensitive data?

FIND Finding WITH severity = 'high'

 THAT HAS CodeRepo

 THAT DEFINES Function WITH tag.Production = true

 (THAT protects Firewall WITH ingressRules~= '0.0.0.0/0' OR egressRules~= '0.0.0.0/0')?

 THAT ASSIGNED AccessRole

 THAT ASSIGNED AccessPolicy

 THAT ALLOWS AS a Datastore WITH classification != 'public' AND encrypted != true

 WHERE a.actions ~= 'Get'

return tree

We can turn this search into an ongoing alert by clicking the bell icon and configuring an alert that monitors this query on an ongoing basis.


Is this something you know will always require remediation? You can configure a ticket to be created every time an internet-facing code vulnerability is discovered.

JupiterOne: Context + Alerts = Clear Priorities

Ready to see the context surrounding your assets and alerts? JupiterOne offers free and paid versions of our cyber asset attack surface management platform, and we’d love to show you around. For a demo or quick set up help, schedule a call with us.

Sarah Hartland
Sarah Hartland

Sarah is the Senior Demand Generation Manager at JupiterOne. She has been a content creator and curator since 2012, with experience in the media, adtech, and cybersecurity industries. Sarah is passionate about making technical concepts accessible for all.

Keep Reading

JupiterOne and AWS together help customers strengthen security posture
November 30, 2022
Blog
JupiterOne and AWS together help customers strengthen security posture

To help organizations of all sizes secure their cloud assets, JupiterOne announced a number of key initiatives with AWS this week at re:Invent.

How to visualize your data by use case with JupiterOne
November 23, 2022
Blog
How to visualize your data by use case with JupiterOne

The new Properties Panel and Managed Dashboards in the JupiterOne platform empower you to prioritize speed, efficiency, and organization!

Security will give up on users as a line of defense in 2023
November 23, 2022
Blog
Security will give up on users as a line of defense in 2023

In a recent debate on cybersecurity predictions for 2023, panelists disagreed on plenty. But they agreed: in 2023, security will give up on users as a line of defense

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.