Researchers Find a Smarter Patching Tactic, But Decision Makers Still Need to Know Risk in Business Terms

June 6, 2019  Jeff B. Copeland





“Practitioners lack the ability to properly assess cyber risk and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results,” says a new study from researchers at RAND, Virginia Tech and Cyentia Institute.

“…Firms struggle trying to develop and apply a remediation strategy that will optimally patch those vulnerabilities that pose the greatest risk, while also deprioritizing those vulnerabilities that pose the lowest risk.”

The researchers combed through a huge amount of data from a security firm that monitors more than 100,000 corporate networks plus other sources looking for vulnerabilities that actually had an exploit seen in the wild — just 5.5% of vulnerabilities in the data set, as it turned out. They typically had CVSS scores of 9 or 10, indicating a deadly combination of easy to exploit and severe impact.

The researchers were then able to create a prediction model that could greatly focus remediation: “A firm seeking broad coverage of vulnerabilities that are exploited in the wild (e.g. 70%) can achieve this by remediating only (about) 7,900 vulnerabilities” as opposed to a 30,000 figure required by a conventional approach.

Well and good, but…vulnerabilities are not risks, and a vulnerability focused approach to risk still leaves business decision makers “paralyzed”.

Jack Jones, creator of the FAIR model for cyber risk quantification that powers the RiskLens platform, tackled the issue recently in an article for Homeland Security Today.  “Risk is expressed in terms of the probable frequency of loss events and their impact, typically in economic terms like annualized loss exposure…Vulnerabilities only matter because they, to some degree, increase the potential frequency and/or magnitude of future loss events.”

Ideally, an organization would have risk ratings based on FAIR analysis for all its systems so it could prioritize patching based on the business processes supported by those systems — not by CVSS scores alone. Jack Jones writes, “Unfortunately, those scores are rarely highly correlated to risk and…misinform far more often than not…

”The common approach to vulnerability scoring is perhaps one of the most significant contributors to poor cybersecurity management today.”

Read the study Improving Vulnerability Remediation Through Better Exploit Prediction by Jay Jacobs (Cyentia), Sasha Romanosky (RAND Corporation), Idris Adjerid and Wade Baker (both of Virginia Tech).