Event Details

Using Breach and Attack Simulation to Effectively Prioritize Vulnerabilities


Yotam Ben Ezra

February 19th, 2020

Vulnerability management (VM) teams live a tough reality every day that could faze lesser mortals. They must run a race they can never win, in an absolute sense. The vulnerabilities are simply too numerous to patch all of them, all of the time.

Forget perfection. The VM team’s goal must be to reduce the attack surface that’s available to exploit, and ensure that the minimized attack surface is as inconsequential as possible. As a result, vulnerability prioritization has become a crucial function to enable patching programs and VM teams to reduce the attack surface

Traditionally, vulnerabilities were prioritized by two main factors:

  • the impact of the vulnerability
  • the importance of the vulnerable asset

For example, a business-critical server with a high-severity vulnerability - such as code execution – would have been prioritized over a non-critical user machine with a lower-impact vulnerability such as information gathering. If an enterprise had just two vulnerabilities, that would be an easy choice for a VM team to make.


Too many [bad] fish in the sea

With dozens or hundreds of vulnerabilities to face every day, your VM experts cannot prioritize them manually – even with the keenest judgment skills - simply because enterprises have too many critical vulnerabilities on important systems.

This ubiquitous problem led to the emergence of Risk-Based Vulnerability Management technologies, which help VM teams to further prioritize their efforts based on threat intelligence. Risk-based VM looks at how much each vulnerability has been exploited in real breaches out in the real world, across many organizations. That helps answer the question: “How likely it is that we will face an attack upon a particular vulnerability?”


How risk-based Vulnerability Management falls short

Risk-based VM does not, however, give the complete picture that VM teams need. It is useful because it helps teams focus on their vulnerabilities which are at the highest risk of being targeted. It falls short in this regard: modern organizations don’t rely solely on patching software to protect themselves from attackers - they place a variety of security controls in their network to make sure the attack surface is minimized. These controls, whether they are network, endpoint or email controls, provide their own layers of protection and must be updated regularly to account for vulnerabilities and maintain access control.”

These security controls change their priorities. Here’s why: a vulnerability, even a significant one, which is already protected by your network inspection control, should be prioritized lower than one which is unprotected. Hence, a vulnerability prioritization process – to be complete and effective - needs to take into account the organization’s security controls and protections, and the overall attack surface across the organization. All this must be added to the prioritization mix.

R_TxVxC.png

In order to understand your organization’s true risk related to a software vulnerability, take into account the security controls and potential impact of an attack.


What’s the blast radius?

Another aspect of the risk associated with a vulnerability relates to the blast radius that would result if a particular exploitation succeeds. If an attacker exploits a vulnerability in an asset that by itself is not critical, that presents a lower risk. However, if the low-value asset can easily access critical data, then the risk and priority of that vulnerability spike higher.


Integration of Vulnerability Management with Breach and Attack Simulation (BAS)

BAS tools are able to simulate attacks across the enterprise and provide security control validation and visibility of the organization’s security posture. Attacks run by BAS tools trigger the security controls and provide an organization-wide view of the security posture. This comprehensive picture takes into account all the security controls the organization has deployed, and their actual ability to stop attacks.

By continuously testing the organization’s behavior and resilience to various attacks, BAS gives an up-to-date understanding of how likely it is that specific vulnerabilities could be exploited successfully. This determination takes into account the organization's overall protection strategy and posture.

A BAS platform delivers visibility that is precisely the missing link in a complete understanding of the real risk associated with a vulnerability. By integrating BAS with vulnerability management tools, you have answers for the following critical questions:


  • The overall attack surface for the vulnerability. Is the vulnerability present in any highly exploitable environment?
  • External reachability. Is the vulnerability exploitable from outside the organization by an external attacker?
  • Critical segments impact. How likely is a vulnerability to give an attacker the ability to successfully access a critical asset?
  • Blast radius. If successful exploitation occurs, what is the attacker’s potential reach throughout the organization?

SafeBreach integrates with vulnerability management systems to automatically overlay the above information atop vulnerability data. The integration ingests the results of vulnerability scans and augments them with SafeBreach findings from thousands of breach and attack simulations. The end result is a prioritized set of vulnerabilities:

VulMgmt.png
The integration allows for considerable flexibility. The user can adjust prioritization parameters to focus on what matters the most, eg. critical exposure, external access, or attack surface. In addition, the reports of prioritized vulnerabilities can be viewed or exported to external systems, where they can be augmented with other risk and prioritization data.

The SafeBreach integration is fully automated, allowing the platform to interact with several of the leading VM tools and their APIs.


Summary

Integrating BAS data with VM data gives CISOs and VM teams the complete picture they need. The combination enables risk-based vulnerability management that is based on the organization’s actual, overall – and current - security configuration and posture. Maybe most important, it helps security teams focus on what really matters at any given moment. This can make a substantial difference in the organization’s protection strategy and its effectiveness.