At last check there are about 22 new vulnerabilities being published and categorized every single day (see National Vulnerability Database web site - http://nvd.nist.gov/). In total, the National Vulnerability Database now contains more than 53,000 vulnerabilities. No wonder security professionals are overwhelmed with the sheer volume of vulnerabilities in their daily practices. At the same time, the prioritization schema that many organizations use are quite basic and are either proprietary or only leverage some basic industry standards such as CVSS.
In this 5-minute Whiteboard Wednesday session, I'll provide a few tips and tricks of what other criteria to consider that will help your security operation save time and increase creditability with your IT operation counterparts.
A few concepts I'll introduce include:
- The age of a vulnerability
- Exploit exposure
- Malware exposure
- RealRisk scoring and prioritization methods.
All of these concepts can provide a more meaningful and efficient way of prioritizing. How does your organization prioritize vulnerabilities and what do you think about some of the concepts discussed in our session? I'd love to hear from you!