There was a recent LinkedIn post that was interesting. It was a short demonstration video of an image recognition and temperature scanning technology designed to screen people for COVID-19. Those wishing to enter a building paused for a few seconds, and an automated system confirmed they were wearing a mask and they weren’t feverish. When those two criteria were satisfied, they were granted entry. No human with a hand-held thermometer in a hazmat suit was required. The system was a perfect example of how technology – including machine learning – can be deployed to address contemporary challenges to minimize cost and health risk.
That contrasted starkly with multiple posts that read like they were written a decade ago, posts that laboriously detailed the nuances of newly-introduced software vulnerabilities. One post advertised an upcoming webinar that would shed light on Microsoft’s Patch Tuesday’s list of new vulnerabilities. Another linked to a blog where a large vulnerability management vendor discussed a recent collection of a technology’s appliance patches. Yet another fanned the hype flame for a just-discovered critical vulnerability that the manufacturer implored users to patch “as soon as possible.”
More than 20,000 new vulnerabilities were disclosed in 2019. Think about that for a second: 20,000 new vulnerabilities, on top of the hundreds of thousands published in years prior and still largely unpatched on countless networks. Does anyone believe it’s a good use of time to attempt to understand the nuances of even a fraction of 2019’s 20,000 vulnerabilities?
When you hire an electrician to wire your house, you don’t study wiring codes. When you visit a restaurant, you don’t learn the preparation details of the dish you’re ordering. If you had to invest that kind of time, why would you ever hire the electrician or go out to eat in the first place? Shouldn’t vulnerability management product companies add at least as much value as your electrician or your favorite restaurant?
When it comes to vulnerability management products, shouldn’t the gory details of every new vulnerability be at least somewhat irrelevant to the user? A user needs to know what vulnerabilities on their network require attention, and in which order. That’s it. Vulnerability A on Asset B is No. 1, Vulnerability C on Asset D is No. 2, and so on. When a new vulnerability is introduced, the vulnerability management product should automatically determine if that new vulnerability should be considered a priority for the user, and if so, where in the remediation priority list it should reside. It might present an extraordinary risk to the user, or it might be utterly innocuous on a given network.
Either way, the VM product user shouldn’t have to attend a webinar, read a blog post, or subscribe to vulnerability alerts to know if they need to worry about it or not.
Some tasks should be automated, while others have to be. When dealing with an ever-growing mountain of enterprise vulnerabilities, automation is not negotiable. With 20,000 new vulnerabilities published in 2019 and the typical enterprise network housing hundreds of thousands at any given time, the VM challenge begs for intelligent automation that culminates in prescriptive output.
We don’t write blog posts about specific vulnerabilities. We don’t host webinars that promise “Everything you need to know …” about the latest catastrophic security hole, and we don’t encourage or contribute to vulnerability hype. All of that kind of knowledge and insight is built into Secureworks® Vulnerability Detection and Prioritization (VDP), which intelligently automates vulnerability management operations and delivers a list of your enterprise vulnerabilities prioritized from 1 to n based on your network’s specific context. When a new vulnerability is discovered, we will let you know if it’s a priority for you or not. That’s our job.
In short, let us worry about what you need to worry about. If your vulnerability management vendor can’t do that, you might want to ask what did you hire them for in the first place?
How Can AI be Used to Automate Vulnerability Management?
We are working to change the way organizations think about and interact with vulnerabilities and vulnerability management. As part of that discussion, we talked about how we use AI (more accurately, machine learning) to remove the need for our customers to dive into the details on every newly-published vulnerability.
The goal of a modern, AI-driven vulnerability management platform is to eliminate the burden on the user of trying to understand which vulnerabilities need attention, and which ones they be ignored altogether or deprioritized. If the vulnerability management solution can’t do that, what kind of value is it actually providing, especially in an era where inexpensive, basic scanners are plentiful?
The following are some examples of how VDP machine learning is automating vulnerability management operations.
Exploit Publication Prediction
When a new vulnerability is released, it would be very helpful for any vulnerability management professional to have some feeling for whether or not that vulnerability will eventually have an exploit published for it. Moreover, it’s important to know that before exploits are published. Highlighting that second part may sound silly, but there are products on the market now that “predict” whether a vulnerability will have an exploit published when they already exist.
Our EPP (Exploit Publication Prediction) uses machine learning to genuinely predict the likelihood an exploit will be published for newly released vulnerabilities before any such exploit exists. A number between 0 and 100 is generated for all newly released vulnerabilities. This is one of more than 40 factors Secureworks accounts for when delivering our Contextual Vulnerability Prioritization score.
Which vulnerabilities are being discussed on the dark web and in other open source forums can also provide insight into prioritization of remediation efforts. Attempting to process the reams of social media and chat data to determine which topics are trending is a task that would be impossible for any human, or even a large collection of humans working manually. Machine learning, however, can help. Another one of VDPs 40-plus prioritization factors is the Vulnerability Trend Score (VTS). VDP collects data from a number of sources, identifies trending topics, and then determines vulnerabilities that are closely related to those topics. Knowing which vulnerabilities are trending can help guide remediation priorities, again, in concert with the other 40-plus factors.
Identification of “Outlier” Assets
Penetration testers have known for years that assets on a network appearing out of place for some reason or another (for example, a Linux machine on a subnet with primarily Windows machines) are often the best targets for compromise. To defend against such attack tactics, it’s very helpful for organizations to know which of their assets an attack might consider an “outlier.” VDP uses machine learning along with a mathematical model of each asset on the network to identify outlier assets that are likely to draw an attacker’s attention. A vulnerability hosted by an outlier asset is likely to be prioritized by the organization over the same vulnerability on an asset not considered an outlier.
Call to Action
Learn more about how AI and machine learning can help automate vulnerability management: 7 Ways AI Can Automate and Improve Vulnerability Management Operations.