Contextual Prioritization for Vulnerability Management

A day in the life of a cyber security analyst involves assessing, tracking, and remediating vulnerabilities across the organization’s systems. A team might employ dozens (if not more) of tools and processes that allow them to discover assets, scan for vulnerabilities, and try to bubble up the most pertinent findings to the top of the prioritization list. Vulnerability and infrastructure scanners, asset discovery products, and penetration testing are all common tools in the security analyst’s toolbox, but simply coordinating all the activities can be a full-time job, and that’s without any analysis or triage on found vulnerabilities that’s mandatory to keep the organization secure.

In the past few years, and driven by the staffing shortage, automation has become a “must have” for any security-related technology; the number of potential problems in an organization’s environment is just too numerous for manual vulnerability management. Companies with a history of products in the vulnerability management/asset management space have been hard at work retooling their offerings to be more efficient and effective at not just finding the “what,” but also delivering a “why” so that analysts have a clearer action plan for managing their ever-growing environments.

Building off their experience in pen testing and development for enterprise organizations, Delve’s founders wanted to create a vulnerability management solution that could scale to today’s networking and connected technology ecosystem needs. On a call with the Delve team, COO Norman Menz said, “our founders wanted to apply a modern way of thinking to vulnerability management. The space had gotten stale, and the problem generally isn’t understanding what’s broken. [Security analysts] struggle with trying to determine what to fix first.”

And it’s true that when looking at a list of 722 “critical” alerts (or even 72!) it’s easy to become overwhelmed and start with the easiest task. Yet, what’s easiest may not always be the most important, but “most important” can be subjective. This is what drives Delve.

Overcoming deficiencies in the CVSS

The Common Vulnerability Scoring System (CVSS) is the accepted authority on known vulnerabilities and severity ratings for many security professionals. However, while the CVSS is commonplace, several problems exist with using it as the guideline for understanding risk and prioritizing remediation in one’s own environment. For one thing, the CVSS severity rating is subjective and not based on an individual organization’s assets, the value of those assets, the business’ risk tolerance, or other connected systems in the environment that might be vulnerable and thus compound risk. Second, the CVSS was never intended to be a risk metric! The tool evolved into a scoring system because security analysts needed a starting point, but the CVSS can’t be customized for each organization’s distinct environment.

For the best-resourced teams, it might be feasible for an analyst (or team of analysts) to create vulnerability risk scores and a prioritization list from the CVSS. But doing so would take countless people hours and nearly unlimited knowledge of every vulnerability published—which is untenable for most. Building a manageable, easy-to-use tool is what Delve aims to tackle with its machine learning-driven, autonomous discovery and scanning platform.

More than continuous scanning

Pierre-David Oriol, VP of Product, explained to me that while autonomous scanning is the foundation of the platform, it is only the starting point. “With autonomous scanning alone, our customers only found more vulnerabilities on their networks. That wasn’t solving the problem or helping them be more secure. Heavily driven by machine learning, our product has shifted the emphasis from autonomous discovery and scanning to vulnerability prioritization. We wanted to build a platform that tells operators what’s most critical based on context.”

Delve starts with the CVSS, of course, but then adds what the company calls “contextual prioritization.” In effect, what Delve does is enrich the CVSS with site-specific data collected through automated scanning component and analyzed with machine learning. Delve incorporates over 35 asset attributes into the analysis so that risk can be contextualized based on current environment conditions: what assets are present, relationship with peer assets, dependencies, authorization and exploitability, patch levels, behavioral indicators, pivot potential, known payloads, external threat intelligence and more.

Oriol walked me through an example of how Delve would handle a CVSS that started with a severity rating of 9—a seemingly high priority. After contextualizing CVSS with information gathered from the customer’s real-time environment, the risk was re-scored to a 5.9. “You can see how risk changes as context is added and how user actions affect the environment,” he explained. The risk score, therefore, is a tailored scored for each customer.

Reduce vulnerability management overload

Delve is offered as SaaS and uses one or more virtual Edge Services if the customer wants to perform internal scans from the cloud. All discovery and scanning capabilities are proprietary, which differentiates the platform from other products in the space that integrate with outside scanners or asset discovery tools. That said, Delve integrates with ticketing systems like Jira so that analysts can track remediation efforts.

The asset discovery and risk-based vulnerability management spaces are filled with product offerings, leaving end users with a long list of features to evaluate. Delve does a nice job of combining intelligent scanning, vulnerability prioritization, and remediation planning all in one so that analysts can focus on the highest priorities first—and have confidence that they’re not missing a critical alert due to vulnerability management overload. If your company needs a better way to not just find vulnerabilities but to prioritize fixing them and driving down risk, give the team at Delve a call and request a demo. Then, as always, let us know what you think.