Must-Have Metrics for Vulnerability Management

Must-Have Metrics for Vulnerability Management  (1).jpg

By Ed Bellis

Security teams today are constantly overwhelmed with the sheer quantity of potential vulnerabilities that they must mitigate. Pouring through spreadsheets and creating oversized PDFs is no longer enough to ensure that critical vulnerabilities will be remediated in time. Security teams must apply organization-specific metrics to vulnerability management to handle the growing number of potential threats they face and protect their organization from a breach. Creating and applying the right metrics involves understanding a few key areas of your organization, such as its business and its risk.

In order to understand which threats are the most dangerous and measure the likelihood of exploits, these factors need to be understood within the context of your business. One way to apply this information is through threat modeling. By knowing even basic attributes of your business and applications, you can begin to grasp what the most likely threats are. Some simple examples include:

  1. What broad metadata do you have about the organization? Your industry vertical, size, and geography all play a role here.
  2. What information is processed by your application or assets, and what are the values and/or regulations around such information?
  3. How many people use an application? This is an overlooked but critical attribute.
  4. What and where are the key assets to your business? Are there critical controls for these assets to protect confidentiality, integrity, or availability?
  5. Who are your adversaries and what are their capabilities? Occam’s Razor applies here.

Some useful metrics here include:

System Susceptibility

  • Value to Attackers
  • Vulnerabilities

Time to Compromise (Hacker economics): How long would it take to compromise any of the key controls for these assets and applications?

Threat Accessibility

  • Access Points and Attack Surface

Threat Capability

  • Tools
  • Resources

Does your threat model include Alexa ratings? An example of this would be to take two applications, one used internally with sensitive information such as social security numbers. The other application would contain all public data.

While it would make sense that the application with sensitive data is much riskier for a breach than the public application, this isn’t always the case. If the public application has millions of users, these users can all be attacked. These factors need to be taken into account for developing the right vulnerability management metrics.

To build a working vulnerability management system, you need to know your risks. Relying on static scanner scores and counting total vulnerabilities won’t help anymore, as these methods don’t account for the constant changing nature of today’s threats. A risk-based approach is a much more useful method.

To begin to understand your risk, you’ll at least need to be familiar with both likelihood and impact. A variety of different factors will go into this methodology. Some questions to ask include:

Asset Metadata: Do you understand who owns the asset, what the function of the asset is, and how it’s used? What’s the impact of losing the confidentiality, integrity, or availability of the asset? Which is the most important based on its function?

Vulnerabilities: What are the weaknesses and vulnerabilities tied to this asset or group of assets? How easy or difficult is it to exploit these weaknesses?

Threats: What are the threats associated with the security holes as well as to your business? How skilled is your adversary and what skills are required to exploit your weaknesses? How prevalent are these vulnerabilities being exploited in the wild? Are you likely to be hit by a “drive by”?

A single and unified risk score for your entire environment should be created, based on real-time exposure to risk. Below this score, it is possible to focus on specific asset groups and individual categories.

It is important to track your risk over time. This will allow you to see if your risk is trending up or down as time goes by. The ability to show reduced exposure to risk over time can highlight your security team’s efficiency and abilities.

Some useful metrics here include:

  1. Risk by asset group both current and trending over time
  2. Mean-time to risk reduction where risk reduction is a target or goal
  3. Time to remediate high risks brown down by asset groups

Understanding the various unique aspects of your organization, such as knowing its threats in the context of business and knowing its risk, can help significantly when it comes to developing useful metrics for vulnerability management. In today’s world of rising threats and continuously increasing attacks, developing a new set of metrics for vulnerability management is necessary to keep up with the growth of potentially critical vulnerabilities. Having the appropriate set of numbers, metrics, and measurements will allow an organization to meet the goal of identifying and reducing overall exposure to risk.


About Ed Bellis

Ed Bellis is a security industry veteran and expert and was once named Information Security Executive of the year. He founded Kenna Security to deliver a data-driven risk-based approach to remediation and help IT teams prioritize and thwart would-be security threats.

More About Ed