Need for machine curated vulnerability intelligence

A central pillar in any cyber resilience strategy is the idea of cyber hygiene: proactive actions to reduce the attack surface thereby reducing (but never eliminating) the probability of a compromise. Vulnerability Management is one of the most important components of a Cyber Hygiene program.  Per Wikipedia Vulnerability management is the “cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. This practice typically relies on a source of vulnerability intelligence which catalogs known vulnerabilities and provides insights on exploitability, severity, known remediations or workarounds and more.

Current approach and why it’s broken

Vulnerability management vendors today rely on a team of human researchers to curate vulnerability intelligence. They build this catalog and update it every so often by scouring the threat landscape. This is akin to early days on the web when we used the yellow pages model to catalog the web and all the destinations on the web. Remember Yahoo yellow pages? Well we soon realized that the web and the internet was too vast and too dynamic for human curation to keep up. We then deployed software bots to crawl the web and built a dynamic, searchable catalog. We reduced the latency/lag between new information sources becoming available and their availability and use.

A great defensive strategy in basketball requires you to “move fast and protect the paint”.  You need to move fast in order to get to the ball before the adversary. You need to protect the paint because that is the most important area and helps you prioritize your efforts and prevent the adversary from scoring a basket.

Modern cybersecurity and cyber hygiene programs can benefit from the same approach.

Move fast (Speed)

The goal of a vulnerability management program is to race against the adversary to remediate the vulnerabilities they may exploit to get in. Speed is essential.  Speed is also hard. Why?

• Software is eating the world and as such the number of vulnerabilities created every year keeps growing. Speed is hard because the scope of the information to be analyzed is big and growing. A lot of the vulnerability information also lives on the dark web and is not readily accessible.  It is simply too hard for hard for humans to keep up with this growth and obscurity.
• In the past vulnerability management was the domain of IT operations only. We only focused on run time. Now in the world of DevOps, operations is getting puled into build time and the objective is to remediate as many vulnerabilities during build time. So with the faster cycle time of innovation, the window of build time during which to look for vulnerabilities is getting compressed.

Relying on humans to curate vulnerability intelligence will lead to delays, errors and omissions. Machines/Bots are much better equipped to work on a 24×7 basis to scale to the hundred of thousands of information sources (structured, semi-structured and unstructured). This will improve the throughput of the analysis and reduce the latency/lag between new vulnerability information surfacing on the internet and the availability of intelligence about it. Bots can help us move fast!

Protect the paint (Focus)

A typical security operations team is only able to review 40-50% of the cyber incidents. A typical enterprise vulnerability management program can patch less that 20% of known vulnerabilities in a month. So success boils down to prioritization and focus. We must focus our energy on the vulnerabilities that are most likely to be exploited at each point in time on the IT assets that matter the most. This requires correlation of our business context with dynamic information from the web on what the threat actors are up to. This is a big data problem. Fortunately machines are well equipped to help prioritize vulnerabilities using ML/AI models at the same speed at which these surface.