How to prioritize Cloud Native Vulnerabilities

How to prioritize Cloud Native Vulnerabilities

Vulnerabilities that exist in the cloud-native components such as container images can be detected using open-source tools such as Grype, Trivy, among others. Also, Kubernetes announced an alpha version of the vulnerabilities feed. 

Remediation efforts like patching servers for vulnerabilities identified in Cloud Native environments are often resource-intensive. IT Administrators often need risk-based scoring mechanisms to prioritize the efforts. Considering raw vulnerability score alone without considering the Asset context or organization context is not really an optimum way of prioritizing the vulnerabilities. In fact, research has shown that it is counter-productive in managing the risk.

How not to Prioritize 

CVSS

Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. These parameters are related to the vulnerability characteristics so at most CVSS score is a vulnerability score but not a risk score. A mere presence of a vulnerability does not mean risk. For example, a CVSSv3 score of 9.8 considered extremely critical but found on a Windows Server that does have minimal customer data versus CVSSv3 score of 7 considered moderate severity but found on a Database server that contains most of your customer data. What if one CVE (Common Vulnerabilities and Exposures) has a known exploit and other does not have? What if Windows Server is facing the Internet, whereas Database server is behind a VPN?

EPSS Score

The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This score may at best determine the future likelihood of a threat occurrence and still does not consider asset and organization context for qualifying as a risk score. 

Social Media Intelligence 

Social Media Intelligence based tools such CVE Trends depend on twitter-based metrics to identify the trending vulnerabilities. While it is useful to learn about the popular vulnerabilities that are trending. This metric still lacks your asset and organization context like CVSS. 

Contextual Risk Scoring 

Risk Factors

To prioritize the vulnerabilities identified below contextual risk factors should be considered. 

1. Threat Context: A vulnerability is a threat only when there is an exploit available. Further the likelihood of threat occurrence when there is an active malware campaign exploiting this vulnerability. 
2. Organization Context: Depending upon the industry type and the geographies the organization operates in; the likelihood of a threat occurrence increases. This is due to nature of how threat actors operate and their motivations. For example, a malware exploiting vulnerability in SWIFT network will impact Banking organizations. 
3. Asset Context: Not all assets are equally prone to threats. It depends on what kind of controls exist. For example, a Windows Server behind a VPN is less likely to be exploited than a public Internet facing one. Also, not all assets are equally important, if threat event occurs the impact of such threat depends on how important is that asset. For example, SQL Injection vulnerability on an e-commerce website doing commercial transactions could be devastating whereas same vulnerability on a read-only blog will have lesser impact. 

A risk score should be computed for each vulnerability using the below factors.  

How To Prioritize

1. Each vulnerability should be contextualized using threat intelligence to identify the availability of an exploit, active malware campaigns, industries and geographies impacted. 
2. Asset’s Susceptibility to a cyber-attack should be considered based on whether it is reachable via the Internet or behind any existing security controls. 
3. The likelihood of threat occurrence should be subsequently computed based on both enriched vulnerability parameters and asset susceptibility. 
4. The impact Factor should be derived based on how important is that asset in your infrastructure. Each asset should be ranked. 
5. The Risk Score should now be computed based on both Likelihood of Threat occurrence and Impact. 

Standardized scores such as CVSS, EPSS or for that matter social media intelligence (such as twitter trends) are not really risk based scoring techniques. A risk scoring mechanism should consider the above contextual risk factors to get better return on investments for available resources.