How to Manage Cyber Vulnerabilities Beyond CVSS – NorthStar

Taming the Vulnerability Overload

As vulnerability management has matured as a process, CVE IDs and CVSS scores have become the standard for classifying, managing, and remediating vulnerabilities.  While this provides a rudimentary framework for vulnerability remediation, numerous issues emerge as asset counts and data volumes dramatically increase, making it difficult to prioritize remediation efforts.

While CVSS scores are important data points, they are not absolute. They must be contextualized to your organization’s specific needs to make it real to you; otherwise it’s just another number.

Going Beyond CVSS

The current model for assessing and prioritizing vulnerabilities based on technical risk alone with CVSS is deeply inadequate for several reasons. First, asset criticality data was too simplistic and lacked the nuance to capture deep organizational dependencies and relationships.  Second, importance, as a concept, was largely decided by the business leaders as opposed to IT leadership. Third, CVSS is a poor measure for capturing emerging threats and temporal characteristics (ex. “This CVE has actively been exploited within the last 30 days.”).

NorthStar Navigator was designed to improve current vulnerability management and remediation processes in two key areas:  

  1. The focus on CVE identified vulnerabilities is too narrow to adequately express and, in turn, respond to the current threat landscape. Vulnerability teams and products should broaden their focus to address all exposures:  asset vulnerabilities, application vulnerabilities, missing patches, and misconfigurations on assets and business services.
  1. Understanding the business value and potential consequences associated with an asset or business service cannot be adequately measured on the same scale as vulnerabilities.  Measured on its own and independently calculated, business importance can more accurately express both the value and risk associated with an organization’s assets and services.

The NorthStar platform recognizes that these to aspects of vulnerability management are holding organizations back from truly proactive and meaningful vulnerability management and remediation.

To address these issues, NorthStar tackled the prioritization process along several fronts:

  • Integrated Threat Intelligence – NorthStar has partnered with the leading threat intelligence provider to automatically enrich the vulnerability and asset data NorthStar already ingests.
  • A new prioritization model that enables customers to manage their vulnerability prioritization process through easy-to-understand and powerful rules engine.  These rules allow customers a greater level of control over the prioritization process as asset, vulnerability, patching, threat intelligence, compensating controls and exception data is merged to form a cohesive, coherent, and transparent prioritization process.
  • Support for Compensating Controls and Exceptions – NorthStar’s prioritization model now incorporates data about compensating controls and exceptions to further allow for customers to refine their prioritization process. This additional support allows for customers to drive the severity of a vulnerability, an asset, or a specific instance of a vulnerability on an asset according to set of predefined rules that are automatically applied.

A Better Way to Manage Vulnerabilities

As RBVM programs have begun to mature, there has been shift from older CVSS only based programs towards vulnerability prioritization by the incorporation of external threat intelligence. However, many organizations that have adopted this style of vulnerability management program have come to the same conclusion: Simply adding in threat intel does not equate to true prioritization.  The key to unlocking the power of threat intel lay within the context of business importance.  With business importance, organizations are able to better reduce the number of lower priority vulnerabilities and distill out an actionable and effective remediation plan.  The following is an example of this evolution in vulnerability management.

NorthStar Navigator provides true, mature Risk-Based Vulnerability Management

From a starting sample size of 1.23 million unique instances of vulnerabilities in this sample organization, NorthStar was able to determine only 0.068% (834) of the vulnerabilities discovered in the environment were of a critical priority and required immediate action.  This significant reduction highlights the impressive flexibility of the NorthStar model and empowers vulnerability management efforts by breaking down the large list of vulnerabilities into a manageable, laser-focused list that shows how to drive action to best protect the organization.

NorthStar Navigator was created to maximize the effectiveness of remediation efforts by focusing organizations on the problems that really matter and providing clear, actionable paths to remediation and lower overall risk.

Ready to experience the power of NorthStar Navigator? Click here