Index
- Introduction
- Standard vulnerability management practices fall short in mitigating cyber threats due to several reasons:
- Key Capabilities
- Exploitability-Driven Prioritization using EPSS and CISA KEV:
- Use Cases driven by Morphisec Vulnerability Prioritization
Security leaders are keenly aware of the risks posed by vulnerabilities. Despite organizations investing substantial amounts in periodic vulnerability assessments and technology for mitigation, vulnerability-based breach incidents persist. The Verizon Data Breach Investigation Report (DBIR) reveals that over half of reported breaches and ransomware attacks exploit vulnerabilities.
Recent instances include the WebP (libwebp) zero-day vulnerability, exploiting WebP images to target Google Chrome and Chromium-based browsers, the ongoing exploitation of the MOVEit Transfer vulnerability, and the CISA advisory on the “Citrix Bleed” vulnerability, exploited by LockBit 3.0 ransomware affiliates.
Over 4,400 critical vulnerabilities (CVSS score 9+) have surfaced this year, impacting numerous applications. However, triaging and patching this extensive list remains a daunting task for IT operations teams.
Additionally, CVSS-driven processes lack business context and fail to align risks with patching efforts, leaving organizations struggling to prioritize and mitigate risks effectively.
It’s essential to acknowledge that less than 2% of published vulnerabilities are actively exploited, a fact often overlooked in current vulnerability management practices.
Standard vulnerability management practices fall short in mitigating cyber threats due to several reasons:
- Patching gaps: Remediation processes, involving testing and compatibility checks, create time gaps of 4-6 weeks or more, leaving organizations vulnerable during this period.
- Varying exposure and application usage: Risk profiles differ across organizations, necessitating a tailored approach to vulnerability management based on application usage and context.
- Inadequate severity rankings: Relying solely on CVSS scores may not accurately reflect risk, as it overlooks factors like application usage and exploitability potential.Ideally, patching efforts should prioritize vulnerabilities based on their probability of exploitability within the organization’s specific context, reducing the burden on IT Operations and IT Risk teams.Having a clear understanding of a vulnerability’s risk to the organization allows teams to better prioritize and optimize patching efforts.
Morphisec introduces cutting-edge Risk-Based Vulnerability Prioritization, providing organizations with ongoing, business-context-driven remediation suggestions. This empowers them to effectively prioritize patching procedures, thereby minimizing exposure through patchless protection, driven by Automated Moving Target Defense (AMTD) technology.
Key Capabilities
Business Context Risk Prioritization: Morphisec’s advanced vulnerability prioritization system categorizes and prioritizes risks based on business functions, critical assets, and services. This includes identifying risks associated with web-facing applications, databases, financial transaction systems, and systems containing sensitive data like Personally Identifiable Information (PII) and corporate Intellectual Property (IP).
Host Exposure Scoring (HES): Morphisec’s proprietary HES scoring system assesses the cumulative risk posed by all vulnerabilities present on each host or device. It considers factors such as criticality, exploitability, usage, and exposure, facilitating clear prioritization of vulnerability remediation efforts.
Application-Driven Risk Prioritization: Organizations can prioritize remediation efforts based on the most exposed applications, mapping associated Common Vulnerabilities and Exposures (CVEs) and affected hosts. Morphisec’s custom dashboards aggregate application risk, enabling efficient prioritization in cases of multiple vulnerabilities.
Exploitability-Driven Prioritization using EPSS and CISA KEV:
1. Exploit Prediction Scoring System (EPSS): EPSS predicts the likelihood of a vulnerability being exploited by combining data from various threat feeds and sources. It continuously updates based on factors such as the presence of exploit proofs of concept (POCs) and real-world exploitation incidents.
2. CISA Known Exploited Vulnerability (KEV): Morphisec integrates the CISA KEV catalog, which identifies critical vulnerabilities known to have been exploited by attackers in live environments.
3. Continuous Usage-Based Scoring: Morphisec prioritizes remediation efforts based on the active usage of applications. Applications in frequent use are assigned higher priority for patching, as they are exposed for longer periods compared to less frequently used or unused applications.
4. Patchless Protection and Threat Prevention using Automated Moving Target Defense (AMTD): Morphisec’s AMTD technology safeguards application memory and prevents malicious memory exploitation and unauthorized access to system APIs, processes, and resources. It offers compensating controls to protect applications from exploitation until security patches can be applied.
Use Cases driven by Morphisec Vulnerability Prioritization
Risk and Exposure Management: Morphisec’s system adapts to the unique risk profiles of organizations, ensuring that remediation efforts are aligned with actual usage and exposure levels. It enables organizations to prioritize vulnerabilities based on the potential impact and likelihood of exploitation.
Patching Gaps: Morphisec helps organizations address time gaps in vulnerability remediation by prioritizing and expediting patching efforts. This is crucial in mitigating exposure before new security risks emerge.
Compliance: Morphisec assists organizations in meeting regulatory standards and compliance requirements related to patch management. It simplifies vulnerability management processes, ensuring timely mitigation of risks to maintain compliance with industry regulations.