Identify, Prioritize, and Remediate Known Exploitable Vulnerabilities
Category: Data Enrichment and Threat Intelligence, Vulnerability Management
Cyware Products Used:
Cyware Threat Intelligence Exchange (CTIX)
Cyware Fusion and Threat Response (CFTR)
Orchestrate
Third-party Integrations Used:
National Vulnerability Databases (NVD): NVD is the U.S. government repository to fetch Common Vulnerabilities and Exposures (CVEs) and Known Exploited Vulnerabilities (KEVs) feeds in CTIX for analysts to analyze and track potential vulnerabilities.
Tenable SC: To enrich identified Known Exploitable Vulnerabilities (KEVs).
Problem Statement
Vulnerability management tools generate reports on a daily basis and security teams aim to proactively detect and remediate such vulnerabilities before hackers exploit them. In reality, not all the identified vulnerabilities pose the same threat severity and security analysts need more context to determine the severity of the vulnerabilities.
It is also important to prioritize Known Exploitable Vulnerabilities (KEVs) as they are actively exploited by threat actors.
Solution
The solution is to automatically identify and prioritize Known Exploitable Vulnerabilities (KEVs) from trusted sources and enrich them with network and asset monitoring solutions to find the impact on your organization’s assets. Additionally, all impacted KEVs are prioritized and tracked with an incident response tool for response and remediation.
How do we solve this problem?
Retrieve Vulnerabilities from NVD: The solution starts by automatically retrieving vulnerability feeds from NVD databases.
Identify KEV Vulnerabilities: CTIX rules are used to continuously monitor the feeds from NVD. If the feed contains KEV details, then the CTIX application sends the vulnerability feed details to Orchestrate for enrichment and remediation.
Enrich the KEV feed: The identified KEV feed is sent to an asset and network monitoring tool such as Tenable SC for enrichment. If the impacted assets for the KEV are present in the organizations, then the Orchestrate playbook creates an _Incident _object in CTIX using the KEV vulnerability feed. The playbook also adds the Enriched using Tenable SC tag to the vulnerability feed object.
Create Incident in CFTR: The playbook also creates an incident in CFTR and assigns it to analysts for remediation. The enrichment details are added to the incident as notes, and the incident is ready for investigation. The analyst can patch the vulnerability and update the learnings of the incident.
CSAP Advisory Notification: The playbook also creates an advisory notification about the KEV and sends it to your organization members for proactive defense.
Benefits
Enhanced Security
The solution allows organizations to continuously identify flaws in the network and secure all assets and business data from threats targeting your organization.
Automate Remediation Workflow
Security teams can automate remediation workflows that integrate with existing case management or incident response systems to provide complete response and remediation to the threat.
Improve Security Posture
The solution to automatically identify and remediate actively exploited vulnerabilities can strengthen your organization's security posture.
Lower Remediation Time
The solution allows security teams to automate the ingestion, identification, prioritization, and onboarding of KEV data to case/ticket management solutions to reduce the overall time taken to remediate KEVs.