Know the Score: Vulnerability Exposure Explained
In this post, I explain the various factors in calculating the Illumio Vulnerability Exposure Score (VES), which allows organizations to combine industry-standard vulnerability scoring measurements with context from their own unique environment. The VES also helps security professionals prioritize security controls to minimize the exposure of the attack surface and potential impact of vulnerabilities.
What is exposure?
Exposure in the context of cybersecurity is typically defined by the "attack surface." Here is a definition that OWASP uses:
Attack surface describes all of the different points where an attacker could get into a system, and where they could get data out.
The Illumio VES is directly aligned with that definition. Simply put, exposure is an attempt at quantifying the sum of the "holes" or the different points from which an attacker can try and enter a system across the network.
Let’s say, for example, you have a Partner Portal – a workload running a web application on port 443. Following the principle of least privilege, you may have limited access to that web application to only three external partners. In this example, the exposure score for that application is 3. While this seems obvious, very often organizations do not have this level of awareness or visibility into their east-west exposure on an application-by-application basis, let alone the ramifications of the aggregate of these exposures across their environment.
What is a vulnerability score?
The Illumio VES employs the open industry standard, community-accepted Common Vulnerability Scoring System (CVSS) originally pioneered by the National Infrastructure Advisory Council (NIAC). Adopting an industry standard allows us to interoperate with many existing security solutions, including vulnerability management vendors, as well as provide a score that is accepted by the widest range of security practitioners.
Vulnerability scores are commonplace in most vulnerability management solutions and are usually assessed and assigned on a per workload basis. For example, workload A has five vulnerabilities. The vulnerability score could be the combined average of the CVSS scores of those five. While this is a valuable metric to understand the potential vulnerability of a single workload in isolation, it misses some important details to understand how truly vulnerable that workload is in a live environment.
Implementing microsegmentation to mitigate the risk associated with vulnerabilities
To understand just how vulnerable something is, you need to look at multiple factors. A vulnerability is only truly a risk if it’s exposed in your environment and can be exploited.
For a simple example, let's consider a single workload with a single critical vulnerability. Because it’s scored as “Critical” severity, it may be highly exploitable. The typical recommendation of a security team might be, “We gotta patch it!”. But let’s consider how many other workloads can connect to that workload and potentially exploit that vulnerability. Let’s also examine the network ports that are exposed as part of that vulnerability. As is often the case in flat networks, the workload will be well-connected to many other workloads.
Patching that particular vulnerability may not be feasible, either because a patch does not yet exist or because of requirements and restrictions around production uptime, change windows, and SLAs. In such instances, we can use microsegmentation to reduce the number of workloads that can connect to that vulnerable workload and to the specific vulnerable port.
Microsegmentation becomes a risk-mitigating control by:
- Reducing the attack vectors to the workload.
- Reducing the "exposure" of the workload.
- Reducing the risk that the vulnerability on that workload can actually be exploited, even though the vulnerability is both "Critical” and cannot currently be patched.
What is the Vulnerability Exposure Score?
The Illumio VES is a means to get a handle on both the "exploitability" of a vulnerability (typically represented by the CVSS score), together with the actual "reachability" of the vulnerable workload via attack vectors in your environment – what we’ve been calling "exposure."
Now for the actual math. The VES is calculated by multiplying a scaled vulnerability score (CVSS) by a scaled exposure measurement for a given service, where s and p are scaling factors to help logarithm scale those measurements, which is a common mathematical technique when there are a large range of values:
VES = s(CVSS) * p(exposure measurement)
As I mentioned in my Forbes article on enterprise security lessons garnered from NBA MVP Steph Curry, this measurement provides a way for a security professional to understand vulnerability and related threat information in the context of segmented environments.
Specifically, traditional vulnerability management solutions use ratings of Critical, High, Medium, Low, and Info to categorize vulnerabilities and help prioritize mitigation efforts. Critical and high get immediate attention, as they should. However, there are a large number of medium vulnerabilities that aren’t prioritized and eventually build up into a significant backlog which has not gone unnoticed by malware writers.
Critical vulnerabilities are often highly exploitable (low cost to the attacker), but for only a short period of time because security teams quickly move to patch or find other ways to remove the exposure. Attackers, always looking for a new angle, are increasingly targeting medium vulnerabilities that are often lost in the noise and remain unpatched for longer periods of time – a much more effective target to breach. They may be considered a bit more "expensive" to exploit (higher barrier to entry, if you will), but the fact that they will be available longer than the critical and high vulnerabilities makes them much more attractive to target when the attacker calculates ROI against their investment.
The purpose and payoff
The VES makes it much easier for an organization to combine the industry best practice CVSS scoring with factors that are unique to each customer’s environment. Security teams can better prioritize their mitigation strategy based on the exposure of the vulnerability in their unique environment. For example, a high severity vulnerability could be deprioritized because the exposure has been greatly reduced by microsegmentation controls. Or there could be a medium vulnerability that should be prioritized to the top of the list given the exposure with a massive number of potential attack paths into that vulnerable service.
The VES is possible because we uniquely understand the map – how your environment is connected and communicating – and overlay vulnerability information on top of the map to help security teams visualize and prioritize mitigation of the risk of vulnerabilities in their environment. This becomes an extremely powerful tool, not only for security teams but for others like application owners and executives who need to understand that risk and mitigate or accept it in the context of broader business risk.