Vulnerability data comes in two flavors – scan data generated from vulnerability scanning and vulnerability disclosures from vendors. Both data sets are highly valuable in threat analysis and security operations as they direct us and focus us to look for specific threats that are highly relevant to the enterprise.
Vulnerability Scanning Data
When a vulnerability scan is run across an enterprise network, it identifies software vulnerabilities that need to be fixed. Often, these vulnerabilities are minor and of no particular major concern. However, sometimes a major vulnerability is discovered and, without rapid remediation, the enterprise could be open to attack. Regardless of the type of vulnerability discovered, this information is highly valuable to security operations centers.
Scan integration allows security operations centers to know and understand the vulnerabilities across the enterprise and to specifically monitor for any attempt to exploit them. Security analysts and threat hunters may also be able to identify any known exploits of the respective vulnerabilities that exist out “in the wild”. Once these are identified, they can build alert rules, use cases, or analytics to protect against them. Such rules can be applied in the monitoring systems, firewalls and intrusion detection and prevention systems, and/or used to actively hunt across the enterprise for malicious activity.
When vulnerabilities are discovered they are considered zero-days until they are known and a patch made available to secure it. The National Vulnerability Database, maintained by the National Institute of Science and Technology (NIST), is a centralized repository where known vulnerabilities are documented. Each vulnerability is given a “CVE” unique identifier that provides a criticality rating, details, and a link to the patch if one is available. This database can be downloaded into SIEM systems and integrated with security operations.
An integration like this provides considerable value. There are specific rules regularly updated in firewalls, IDS/IPS systems, end-point protection software, and more that specifically identify known exploits tied to specific CVE’s. Additionally, some CVE’s contain data that can be used to identify exploitation.
Understanding current vulnerabilities – especially the critical and high-rated – ensure that your security operations and threat analysis is timely and relevant. It enables you to look for exploits that could specifically affect your organization. Without knowing or integrating your vulnerability profile, security operations may end up wasting a considerable amount of time running down alerts or hunting for exploits that do not actually apply to the organization.
Considering the Security Operations Center, your managed security service provider, or even just your run of the mill SIEM system provides the gathering place for all your security data, integrating vulnerability data ensures you have the whole threat picture. It improves the efficiency and overall security of the enterprise.