📑
Beyond this Qualys report, in 2024, 768 vulnerabilities were exploited for the first time, around 25% of which were zero-day vulnerabilities, according to a Vulncheck study.
The Google Threat Intelligence Group notes that zero-day vulnerabilities continue to increase, with attackers focusing more on enterprise equipment: in 2023, 37% of zero-day vulnerabilities targeted enterprise products, rising to 44% in 2024, mainly due to the increased exploitation of security and networking software and devices.
So how can we deal with this threat? Let’s start by defining a CVE and see why vulnerability management, alongside detection and remediation methods, should be prioritized as essential components of resilience.
CVE (Common Vulnerabilities and Exposures): definition
IT security vulnerabilities are listed in public databases so that security teams have centralized, simple, and standardized access to all known vulnerabilities and their descriptions, making it easier to identify them in the information systems that need to be protected. In short, a central reference point for the cybersecurity ecosystem.
These vulnerabilities are assigned a standardized score from 0 to 10 to assess their criticality, according to the CVSS (Common Vulnerability Scoring System), which we will come back to later.
Please note: a vulnerability with a low score may still be urgent if it targets infrastructure critical to your specific information system!
Furthermore, a vulnerability with a low score may also mean that it has low exploitability (difficult for the attacker to leverage), but nothing prevents a vulnerability with low exploitability from inflicting critical damage.
Vulnerability management and cyber resilience
Vulnerability management should be seen as an essential building block of your cyber shield.
Although legal frameworks such as NIS 2 and DORA impose constraints, SOCs must stay ahead of these cyber standards rather than simply implementing them for compliance purposes. Set the industry standard for future compliance legislation!
It is also important to bear in mind that audits and compliance measures are necessary but not sufficient on their own: these operations are generally annual, whereas threats are constantly evolving. In short, proactivity and anticipation are key to greater resilience, and it is important to remember that catching up always costs more.
With this in mind, the VOC (Vulnerability Operations Center) approach is essential. It involves centralizing vulnerability management to optimize responsiveness and response capabilities through:
- Vulnerability detection
- IT asset configuration management tailored to security needs
- Identity management
- Internet exposure management
- Regular vulnerability testing (Adversary Exposure Validation, an approach halfway between pentesting and bug bounty)
- Continuous reduction of technical debt for better asset security
- Greater knowledge of threats and the organization’s cybersecurity context
- Etc.
Pro tip
In addition to managing assets and IT equipment using internal tools and processes, implementing hardening policies, particularly for access management, limiting privileges for accounts used for sensitive services, and setting up effective, continuously monitored network segmentation can greatly limit the exploitability of vulnerabilities and their impact if exploited.
Vulnerability detection methods
Objective: detect threats before they affect you!
Vulnerabilities can be detected using two primary methods:
- Scans: These detect known CVEs on a network, workstations, servers, databases, APIs, etc. However, this method has several limitations and challenges.
- The scope of the analysis must be defined in advance, which requires mapping of the information system; the operation consumes network bandwidth and system resources;
- Detection is not continuous, so scans must be scheduled regularly;
- It is impossible to detect vulnerabilities affecting applications that are not exposed on the network;
- It is impossible to detect vulnerabilities in applications that only return partial metadata and do not necessarily allow you to identify whether the application is in a vulnerable version;
- In some cases, it is necessary to attempt to exploit a vulnerability to determine whether it is present, which poses a risk to production.
For these reasons, HarfangLab favors detection by agents deployed on endpoints.
- Agents: each agent installed on the endpoints of a computer network acts as a watchdog for the entire network. The CVEs collected by the cybersecurity platform are compared with the software and applications deployed on the IT infrastructure in order to flag vulnerabilities that need to be corrected. And what about assets on which no agent is deployed? Shadow IT presents a limitation to this approach, as endpoints on which the agent is not installed are not protected. A vulnerability management solution that adopts this method must therefore include Shadow IT detection capabilities so that no endpoint falls into a blind spot — and that is exactly why HarfangLab’s Attack Surface Management solution includes this Shadow IT management feature!
Why you need to go beyond the CVSS score
As mentioned earlier, a CVSS score is assigned to known vulnerabilities, but thinking about business priorities beyond the score is crucial for a SOC. A vulnerability that affects an application that does not exist in a given information system will necessarily have a score of 0 (in this context), and a vulnerability with a low score may still have a very high score in a context where it is exploitable.
This is one of the reasons behind the emergence of the EPSS (Exploit Prediction Scoring System) score, which aims to prioritize vulnerabilities by calculating the probability that they will be exploited in the next 30 days — a score that changes regularly —, and exposure assessment platforms (EAPs), which help organizations assess risks by taking into account their own business context.
But how is the CVSS score calculated?
Calculating the CVSS score
This score, which ranges from 0 to 10 and is regularly revised, is based on various metrics that take into account the intrinsic characteristics of the vulnerability, its complexity, exploitability, impact, context, and the risks it poses over time.
To be actionable, this score must indicate the metrics used to calculate it.
Let’s now move on to the necessary measures to remedy vulnerabilities.
How to remediate a vulnerability
Vulnerabilities: tools and methods to protect your information system
The consequences of a vulnerability can be prevented using a WAF, EDR or EPP, virtual patching, etc. There are many tools available, but they are not enough alone: team organization, analysis capabilities, and effective prioritization are essential.
Firstly, to avoid alert fatigue, tools must be correctly configured to limit false positives.
Security teams also need to know the business priorities that will enable them to smartly manage an incident or crisis.
In addition, the implementation of key indicators can help optimize vulnerability management, such as:
- The average time to detect vulnerabilities
- The average time to mitigate risks associated with vulnerabilities
- The average time to apply patches
- The average number of vulnerabilities per asset
- The total number of vulnerabilities identified on the information system
- The number of critical vulnerabilities
- The recurrence rate
- Etc.
But when a vulnerability is published, the patch may not be immediately available. What should you do in this situation?
Managing vulnerabilities while waiting for a patch
While waiting for a patch, an organization must align itself with business priorities and assess the business and organizational impact of the vulnerability. The interconnection of vulnerabilities and the risk of a domino effect must also be taken into account.
Pro tip
While waiting to apply a patch to a vulnerability, especially if it is classified as critical, a mitigation strategy can be deployed through access hardening, network segmentation, intrusion detection systems, and strict filtering on endpoints and the network — for example, with the help of EDR and EPP — or simply by temporarily disabling the vulnerable service.
Speaking of vulnerabilities,
how does a security platform ensure its own protection?