Skip to main content

General Documents

Vulnerability Management Process - IBM X-Force

Abstract

Download PDF

Category: Data Enrichment and Threat Intelligence, Endpoint, Vulnerability Management

Cyware Products Used:

  • Cyware Threat Intelligence eXchange (CTIX)

  • Cyware Fusion and Threat Response (CFTR)

  • Orchestrate (CO)

  • Cyware Situational Awareness Platform (CSAP)

Third-Party Integrations Used:

  • IBM X-Force: To enrich identified vulnerabilities.

  • CrowdStrike Falcon Endpoint Detection and Response (EDR): To get asset details for the organization database.

Problem Statement

Cybercriminals always target the security vulnerabilities in software or a system to insert malware, compromise organization infrastructure, and access confidential or sensitive data. Security teams aim to proactively detect such vulnerabilities before hackers discover them by examining the security posture of an organization.

While it is important to quickly identify and patch the vulnerabilities that are actively exploited by threat actors, in reality, not all the identified vulnerabilities pose the same threat severity. Some vulnerabilities are difficult to exploit, some do not pose a direct threat to an organization, and a few others are uncertain.

Solution

A strong vulnerability management process is the need of the hour for any organization to solve this problem. Cyware’s fusion center uses the Vulnerability Management playbook to take advantage of threat intelligence and the knowledge of IT asset management teams to rank vulnerability severity and defend security vulnerabilities promptly. This allows security teams to quickly identify and patch critical vulnerabilities first.

Vulnerability_Management.svg

How do we solve this problem?

The Vulnerability Management playbook retrieves recently reported vulnerabilities from CTIX on configured intervals. The playbook performs the following activities.

  1. Extract and Enrich Vulnerabilities: After retrieving the reported vulnerabilities from CTIX, the CVE IDs are sent to the IBM X-Force application for further external enrichment. This retrieves vulnerability details such as remedy, Common Vulnerability Scoring System (CVSS) score, exploitability, and other important details to help security analysts to take proper decisions. You can also configure a preferred Vulnerability Enrichment application. See Vulnerability Management integrations.

  2. Filter Non-Exploitable Vulnerabilities: The vulnerability management playbook then filters out non-exploitable vulnerabilities and retains the exploitable vulnerabilities for processing the next steps.

  3. Retrieve Assets: The playbook retrieves the list of vulnerabilities and associated assets from the CrowdStrike Falcon EDR application. You can also configure a preferred EDR integration. See Endpoint integrations.

  4. Correlation: The playbook correlates the asset information received from CrowdStrike Falcon EDR with exploitable vulnerabilities to establish the following findings.

    1. Critical Vulnerabilities with Impacted Assets: Filters the list of assets impacted by critical vulnerabilities.

    2. Non-Critical Vulnerabilities with Impacted Assets: Filters the list of assets impacted by non-critical vulnerabilities.

    3. Critical Vulnerabilities without Impacted Assets: Filters the list of assets that are not impacted by the critical vulnerabilities.

    4. Non-Critical Vulnerabilities without Impacted Assets: Filters the list of assets that are not impacted by non-critical vulnerabilities.

    5. Vulnerabilities without any Record: Filters the list of vulnerabilities that do not have any record.

  5. Response and Remediation: Based on the risk and severity identified by the correlation of asset and vulnerability details, the playbook performs the following actions in real time.

    1. Creates high-priority actions in CFTR to rectify assets that are impacted by critical vulnerabilities and non-critical vulnerabilities. Additionally, the playbook notifies the security teams about the vulnerabilities and impacted assets.

    2. The playbook notifies the security teams about the vulnerabilities that do not impact any assets.

    3. If no vulnerability records are found after correlation, the playbook sends a notification to the security teams.

Optional Configurations

Advisory Notifications: The playbook can also send advisory notifications about critical vulnerabilities to partners and vendors using CSAP.

Solution Benefits

Respond to Threats Proactively

By automating the detection and analysis of vulnerabilities using a strong vulnerability management process, organizations can transform from reactive to proactive response strategies.

Automated Assessment and Prioritization

Gather details on the security vulnerabilities in the network and prioritize the vulnerable assets as per the severity level using data such as CVSS score, exploit data, asset information, and many more. This helps security teams establish and maintain secured assets from many attack variants.

Enhanced Security

The vulnerability management process allows organizations to continuously identify weaknesses in the network and secure entire assets and business data from threats targeting your organization.