Vulnerability prioritization improves security, saves time & money


Expel® Vulnerability Prioritization launches today: an interview with team leader Matt Jastram

Security teams fight a never-ending battle against software vulnerabilities. More than 26,000 new ones were reported last year alone, and 11+% of all vulnerabilities have a Common Vulnerability Scoring System (CVSS) critical score. The problem is there are too many to begin with, even if you just focused on the most critical (and those are not necessarily the ones most likely to be exploited).

The experts all agree that the best way to reduce your organization’s risk profile is to prioritize vulnerabilities based on actual risk and the individual context of your organization. Unfortunately, over 70% of security operations centers (SOCs) report difficulty in prioritizing what needs patching.

Help is here, though. Today we’re announcing the general availability of Expel® Vulnerability Prioritization, a new risk-based prioritization service that does the heavy lifting for SOC teams in investigating and prioritizing the most critical vulnerabilities their organization’s face, based on their own unique environment, which vulnerabilities are being exploited, as well as Expel MDR intelligence on attacks happening in the wild.

We sat down for a few minutes with Matt Jastram, our senior vulnerability analyst (and chief vulnerability prioritization guru), to get his take on the value of a risk-based approach to the software vulnerability problem.

Tell us a bit about your background, Matt. How long have you been been in the vulnerability space?

Vulnerability risk management has been a passion of mine for many years. I first started in vulnerability management (VM) in 2009 addressing NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) regulations. My primary focus was facilities with electrical generation industrial controls (ICS) systems. The electrical utility was responsible for making sure the ICS system networking and operational components (firewalls, HMIs, and PLCs) were patched to meet regulatory compliance for external auditing purposes. It was a lot of sneaker patching (i.e.. physically moving to locally update) and legacy devices. Fast forward to 2019, when I moved into information risk management (IRM). My team conducted on-prem IT and operational technology (OT) risk assessments, including VM scanning, to determine if vulnerabilities existed on systems/components prior to go-live. Eventually, I wound up in charge of the vulnerability management program in early 2020. Our team was responsible for ensuring our IT infrastructure of 20k assets was frequently scanned. Critical- and high-vulnerability remediation were tracked and remediated so all levels of management were informed.

We partnered with technical leads, lines of business leaders, and executives to remediate the massive volume of vulnerabilities. I certainly felt the practitioner headaches and learned about the frustrations the IT business feels from inaccurate and noisy VM scanners. I’m excited to bring this experience to Expel and problem-solve our customers’ vulnerability challenges.

Why did Expel decide to tackle vulnerabilities?

We have a remarkable reputation for reducing the noise from the detection process and making sure our managed detection and response (MDR) customers promptly address incidents and alerts. We heard from numerous customers how painful and noisy the VM process was, and decided to tackle this same issue with vulnerabilities. These alerts contain details on attacker exploitation tactics that vulnerability prioritization (VP) can learn from. If we identify a vulnerability actively being exploited, then we’re able to use that threat intelligence as we look across our VP customer infrastructure to address the exploit risk. We understand the risks our MDR customers face, and our team will put the lessons learned to quick use addressing vulnerabilities.

What are the biggest challenges customers face?

I think the massive challenge customers face is that a VM scanner has mastered the art of identifying the full spectrum of vulnerabilities. Information is only useful once it’s translated into workable knowledge, though, and It’s overwhelming for IT teams to see the lengthy reports a scanner can spit out. Where do I start? What are the risks? Am I really addressing them? Are my resources focused on the right vulnerabilities? Our new service is 100% about addressing exploitability risk.

What goes into Expel Vulnerability Prioritization? What things are you looking at when determining how to prioritize?

Since we’ve felt the practitioner’s pain, Expel focuses on actual exploit risk and each customer’s unique environment—which we understand from their MDR instances. Our MDR analysts are on the front line of cyber attacker tactics, so we see what vulnerabilities are being weaponized. We take this intel, and we’re able to identify the threat, look at our customer’s scanner data, accurately pinpoint the existing risk of exploit, and recommend—is it an emergency, is it urgent, and what is the recommended remediation action?

Some of the external sources we consider—inthewild.io, exploit-db.com,  the Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, and code repositories, for instance—help us reliably note actively exploited vulnerabilities and inform our customer base about the existing risk specific to their infrastructure context (like what specific asset types are vulnerable, for example).

How does it work?

Our general availability launch includes integration with popular vulnerability management tools, and we’re working on adding more. As always, our concern is on quality, not quantity.

Expel Workbench has over a hundred integrations (and counting) now, and VM scanners will import API data right into a more efficient UI within Expel® Workbench. We’ve taken the scanner data and enhanced exploit sorting, risk component simplification, and transparently update priority to help our customers be more efficient with their time and resources. I’m so proud of the engineers and UX designers who’ve created a simple and effective solution to vulnerability prioritization.

“…implementation of automation to investigate and remediate vulnerabilities and attacks could reduce the average cost of a breach by 25%, or about $450,000 annually.”
Ponemon/Adaptiva Study, January 2022

Can we quantify what kind time/money we’re saving customers with this?

We definitely can. Exploitability research and infrastructure identification (applicability) is an ongoing challenge for every company. Expel Vulnerability Prioritization consistently monitors our internal and external threat intel so our customers can focus on remediation.

I’ve personally felt the practitioner’s headaches, and I think we’re going to reduce the cycle time of exploitability prioritization, saving our customers plenty of time and resources. Our VP team will continue to define these metrics, so our customers will see the value.

We’d love to talk more about how we can improve your security footing and save your team hours in researching vulnerabilities. Drop us a line.