Introduction

Research from Gartner: It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats

About Trend Micro

Issue 2

2

6

20

Prioritize and Remediate Active Vulnerabilities Impacting Your Network

2

Introduction

The evolution of cyber threats and the cybercriminal community has evolved from the days of pranksters launching annoying viruses and spam that would be considered primitive today – to hacktivist organizations and nation states launching ransomware and other malicious malware for political and financial gain. While enterprises make concentrated efforts to protect their critical data and reputation through a layered security approach using best-of-breed solutions, the lack of correlated and contextual network visibility can leave IT security organizations unable to prioritize the threats that matter the most and networks susceptible to multi-vector attacks.

Using Trend Micro solutions, enterprises can aggregate data from across their network in order to prioritize security response measures for current and potential threats, as well as reduce the time to secure through automated incident response and integration with complementary third-party solutions. This paper focuses on how enterprises can align their vulnerability management priorities, gain visibility, and take immediate action on the active vulnerabilities in the wild directly impacting their environment with Trend Micro Integrated Advanced Threat Prevention.

Trend Micro Integrated Advanced Threat Prevention

Trend Micro’s Integrated Advanced Threat Prevention approach combines TippingPoint® Next-Generation Intrusion Prevention System (NGIPS) solutions with Deep Discovery solutions to address high-performance data center and enterprise network requirements including, but not limited to:

• Accurately and effectively identifying and blocking malicious traffic

• Preventing lateral movement of malware

• Enhancing network performance and security

• Ensuring network availability and resiliency

Designed for network transparency, Trend Micro’s TippingPoint NGIPS can be deployed seamlessly into the network with no IP address or MAC address to immediately filter out malicious and unwanted traffic. A “bump-in-the-wire” device, the TippingPoint NGIPS is easy to deploy and manage while maintaining a high level of performance and security accuracy. It stops the spread of malicious traffic from infected users, while notifying the administrator where the attacks are originating. Security administrators can designate specific security policies by network segment and deploy them effortlessly through centralized management with the TippingPoint Security Management System (SMS). If security policies need to be adjusted, the TippingPoint NGIPS allows for quick reconfigurations, minimizing any security or performance impact.

Trend Micro’s Deep Discovery solutions can detect, analyze and respond to unknown malware and advanced threats across all network traffic, all ports and over 100 protocols. Through the use of extensive detection techniques, network monitoring and custom sandbox analysis, Deep Discovery solutions can identify advanced and unknown malware, ransomware, zero-day exploits, command and control (C&C) communications, lateral movement and evasive attacker activities. Organizations can also identify and block spear phishing emails that are often part of the initial phase of a targeted attack and enhance their existing security investments through integration and sharing of threat intelligence, as well as additional processing capacity for high traffic environments.

Trend Micro’s Integrated Advanced Threat Prevention approach enables enterprises to optimize their overall security posture through:

Pre-emptive Threat Prevention: Inspect and block inbound, outbound and lateral network traffic in real-time to protect against known, unknown, and undisclosed vulnerabilities.

Threat Insight and Prioritization: Gain insight and context with complete visibility across the network to measure and drive vulnerability threat prioritization.

3

Real-Time Enforcement and Remediation: Defend the network from the edge to the data center to the cloud with real-time, inline enforcement and automated remediation of vulnerable systems.

Operational Simplicity: Simplify security operations with flexible deployment options that are easy to setup and manage through a centralized management interface with recommended settings that provide immediate and ongoing threat protection.

Prioritize Critical Vulnerabilities in Your Network with TippingPoint SMS Threat Insights

Security solutions have made significant strides in providing massive amounts of information regarding the status and security of the network, but when an IT security organization has to manage multiple solutions and make sense of tens of thousands of alerts, their ability to make sense of what’s going on and prioritizing critical alerts can be challenging, if not impossible. They need to understand and digest this information, and also implement and execute security policies based on threats that could affect their organization.

Trend Micro’s TippingPoint SMS Threat Insights is an aggregation portal that takes events from the TippingPoint NGIPS, third-party vulnerability management solutions, and sandboxing solutions and displays them in one place to prioritize, automate, and consolidate network threat information. This allows multiple security groups to have a common framework for evaluation and resolution. By automating the aggregation of threat data from multiple security tools, SMS Threat Insights helps security professionals prioritize incident response measures for breaches or potential vulnerabilities, and highlights preemptive actions already taken to protect their network. SMS Threat Insights provides the ability to:

• Identify breached hosts that are infected or under attack based on blocked or allowed attempts.

* SMS Threat Insights can provide host-centric visibility into which breached hosts require the most attention. Information is provided based on the number of times a host has been breached and the number of times a threat has been detected. If enterprises use Microsoft® Active Directory, additional context can be provided down to the user name.

Source: Trend Micro

FIGURE 1 TippingPoint SMS Threat Insights

“Employ mitigating

controls, such as

intrusion protection

systems, network

segmentation,

application control

and privileged identity

management, to prevent

vulnerabilities from

being exploited, when

you can’t patch in an

acceptable time frame

or there is no patch

available. These controls

help focus on the

vulnerabilities that are

being actively exploited

in the wild first.”

4

• Integrate with industry-leading third-party vulnerability scan solutions to identify vulnerabilities and optimize security policies.

* With the TippingPoint Enterprise Vulnerability Remediation (eVR) feature, information is pulled in from other third party vulnerability management and incident response vendors. CVEs are mapped to TippingPoint Digital Vaccine® (DV) filters so that IT security administrators can take immediate action based on enhanced threat intelligence to increase their security coverage.

• Distinguish potential threats classified as malicious and determine whether suspicious objects have been blocked or permitted.

* When a user downloads an unknown object, the TippingPoint NGIPS decrypts and extracts the suspicious object and sends a copy to Deep Discovery Analyzer for analysis. Deep Discovery Analyzer then detonates the object, determines if it is malicious, and informs the TippingPoint SMS. If an object is deemed malicious, the TippingPoint SMS will then inform the TippingPoint NGIPS so that any lateral movement of the malicious object will be automatically blocked by the TippingPoint NGIPS.

• Determine if any active zero-day threats are infiltrating the network.

* TippingPoint zero-day DV filters are developed using exclusive access to vulnerability data from the Zero Day Initiative (ZDI). Filters that are labeled “disclosed” indicates that the vendor has issued a patch for the vulnerability. Filters labeled “pre-disclosed” indicate that the vendor has not issued a patch for the vulnerability. SMS Threat Insights provides visibility into vulnerabilities currently protected by zero-day DV filters, as well as vulnerabilities that may have a DV filter available, but not applied.

Integrated Advanced Threat Prevention Fueled by Comprehensive Threat Intelligence

Trend Micro is uniquely positioned to protect high-performance data centers and enterprise networks from known, undisclosed, and unknown vulnerabilities. By addressing the full threat lifecycle, Trend Micro provides comprehensive

threat intelligence that enables security operations and incident response teams to manage, view, prioritize, and remediate threats:

SMART Protection Network

Trend Micro Smart Protection Network is global threat intelligence that rapidly and accurately collects and identifies new threats, delivering instant protection for data wherever it resides. Trend Micro’s threat researchers and data scientists use the latest big data techniques to analyze the data, and combine their analyses with automated processes such as machine learning to identify threats in real time. This wealth of global threat intelligence is rapidly collated using predictive analytics to customize protection against the threats that are most likely to impact an organization. To maintain this immense scale of threat protection, Trend Micro created one of the world’s most extensive cloud-based protection infrastructures in 2008. With the development of automatic correlation of threats for customized protection, Trend Micro delivers threat visibility across platforms, security layers, and users globally.

Zero Day Initiative

Founded in 2005, the Zero Day Initiative was created to promote the responsible disclosure of vulnerabilities. Recognized as the leading global organization in vulnerability research and discovery since 2007, the Zero Day Initiative provides Trend Micro exclusive insight into undisclosed vulnerabilities. When a vulnerability is discovered through the Zero Day Initiative, Trend Micro is the ONLY organization (other than the affected vendor) that has access to the vulnerability data. This results in pre-emptive coverage for Trend Micro customers between the discovery of the vulnerability and patch availability. In 2016, Trend Micro protected customers using TippingPoint solutions an average of 57 days prior to public disclosure of a vulnerability found through the Zero Day Initiative.

Digital Vaccine® Labs (DVLabs)

TippingPoint solutions provide real-time, accurate threat prevention for known and zero-day vulnerabilities through threat intelligence provided by DVLabs. The Trend Micro TippingPoint DVLabs team conducts advanced security research and provides cutting-edge threat analysis and security

5

filters that cover an entire vulnerability to protect against all potential attack permutations, not just specific exploits. Digital Vaccine (DV) filters provide vulnerability protection for network devices, virtualization software, operating systems, enterprise and Web applications, and industrial control system networks. In addition, the Trend Micro TippingPoint ThreatDV service provides malware filters as well as a reputation feed that identifies “known bad” IP addresses or DNS names. DVLabs help you gain control of your organization’s patch management lifecycle by providing pre-emptive coverage between the discovery of a vulnerability and the availability of a patch, as well as added protection for legacy, out-of-support software.

Summary

The effectiveness and reliability of Trend Micro’s TippingPoint and Deep Discovery solutions is evident in the thousands of deployments by organizations worldwide, including many Fortune 1000 and Global 1000 companies. Enterprises can find immediate value of the flexibility and operational simplicity of Trend Micro’s solutions to prioritize and remediate known, undisclosed, or unknown threats in their environment. With its combination of best-of-breed next-generation IPS platforms, leading advanced threat defense

solutions, enterprise-class management solutions, and industry-leading threat research and security filter development, Trend Micro provides integrated advanced threat prevention to address the evolving requirements of the most demanding data centers and enterprise networks without sacrificing security or performance.

About Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. All our products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and control, enabling better, faster protection. With over 5,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro enables organizations to secure their journey to the cloud. For more information, visit www.trendmicro.com.

For more information on Trend Micro’s TippingPoint solutions, please visit www.trendmicro.com/tippingpoint.

Source: Trend Micro

Source: Trend Micro

FIGURE 2 Zero Day Initiative Bug Bounty Program Process

6

Research from Gartner

It’s Time to Align Your Vulnerability Management Priorities With the Biggest Threats

will significantly reduce the risk of being breached. Security operations, analytics and reporting tools, and threat intelligence services help deliver this.

• Employ mitigating controls, such as intrusion protection systems, network segmentation, application control and privileged identity management, to prevent vulnerabilities from being exploited, when you can’t patch in an acceptable time frame or there is no patch available. These controls help focus on the vulnerabilities that are being actively exploited in the wild first.

Strategic Planning Assumption

Through 2020, 99% of the vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.

Introduction

The No. 1 issue in vulnerability management (and, arguably, IT security operations) is that organizations are not prioritizing their patching and mitigating controls, nor are they mitigating the exploitation of commonly targeted vulnerabilities. In short, organizations are struggling to figure out the delta between “what can I fix” and “what will make the biggest difference, with the pragmatic reality of the time and resources that I actually have.” The answer is a risk-based approach. This research highlights the biggest risks.

There is now considerable and consistent independent research to make this important point (see Verizon DBIR). Although Gartner is seeing persistent as well as advanced threats, most threat actors do not use overly sophisticated means to achieve their goals in most cases.

The dogmatic approach to vulnerability management, based on attempting to deal with large volumes of vulnerabilities in aggregate, seems sound and is based on common sense; however, it has led to friction between IT security and operations teams. This comes from the implied and actual resources required to “patch everything,” based on the large numbers of vulnerabilities present in all organizations. More importantly, it has not delivered on its goal of making organizations more secure — breaches have continued unabated during the past decade.

Vulnerabilities and their exploitation are still the root cause of most breaches. IT security leaders should refocus their attention on how vulnerabilities are being managed and should track this metric to provide visibility as to how to reduce the biggest risks of being breached.

Key Challenges

• The exploitation of known, but unmitigated, vulnerabilities is the primary method of compromise for most threats. Meanwhile, “zero days” are only approximately 0.4% of vulnerabilities during the past decade, but their risk to most companies is out of balance with the attention they get.

• Vulnerability remediation prioritization is not taking into account the biggest risks.

• Breach report data and Gartner research highlight that only a small number of vulnerabilities go on to be exploited in real-world attacks.

• The lofty goal of “patch everything, all the time, everywhere” is not only rarely fulfilled, it is causing friction between IT security and IT operations.

• Traditional vulnerability severity rating schemes — such as First’s Common Vulnerability Scoring System score or the classical “critical, high, medium and low” rankings — can provide base measures of the criticality and impact of vulnerabilities; however, they don’t take into account what then is actually exploited “in the wild.”

• Attackers are able to easily and cost-effectively obfuscate attacks that leverage existing vulnerabilities for effective and profitable outcomes.

Recommendations

Security managers should:

• Start tracking a simple metric that enables your organization to gain visibility into the overlap between “the vulnerabilities in your environments” and “the ones being actively exploited in the wild.” Improving this one metric

7

Einstein’s adage that, “The definition of insanity is to keep doing the same things, but expect different results” has rarely seen a more definitive example than the way in which vulnerability management is being pursued in enterprises. A change needs to be pursued that pragmatically recognizes “the ideal” for those things that “will make the biggest improvements.” Figure 1 highlights this proposition. The Verizon DBIR clearly shows that old vulnerabilities are still leveraged in breaches.

This research defines one of the most-critical issues in IT security operations today, and the practical approach to dealing with it in the most-effective and low-cost way. Pragmatically, if we deal with the “elephant in the room” first, then we will have a better foundation. We are not saying that we should not stop there with the idea of continually inching toward improvements. However, we are clearly not executing well on the critical issue in reducing your attack surface by closing the biggest risks. It is worth pressing the reset button and doubling down on improving your vulnerability management. Get your foundation

right first. It’s not only just a principle, the data speaks volumes as to how effective it could be to improving your organization’s security posture.

As an adversary, if I can continue to do the same thing, at decreasing costs with lower entry points in terms of knowledge and cost, then why would I bother doing something new? The painful answer for IT security is that adversaries haven’t, and that’s largely because we haven’t made them do so. We have not been executing on simple concepts to change the cost model for threat actors.

In the complementary research (see “Strategic Vulnerability Remediation Prioritization”), we explore the total spectrum of vulnerability management program improvements that should be undertaken.

Analysis

Vulnerabilities are more often leveraged by attackers if they are relatively easy to exploit and present in software with a large installed base. Consequently, these have the best chance of going

Source: Verizon 2016 DBIR

FIGURE 1 Number of Vulnerabilities Successfully Exploited in 2015

8

on to make it to the “exploitation mainstream.” This happens because easily weaponized exploits (i.e., those that virtually anyone can easily use with no detailed knowledge of the vulnerability or the exploit) are then circulated via various public and private forums and numerous attack creation tools. Because we are not remediating them, adversaries also don’t need many vulnerabilities (one is enough), so why spend the time investing in new methods or buying expensive zero-day vulnerabilities?

As a rough metric, our research has uncovered that there are likely to be (depending on your technology stack) only about 50 to 300 vulnerabilities in each year about which you should be critically concerned. It’s this number that roughly defines the number of vulnerabilities that make it into the exploitation mainstream. They are the ones that are most often used and reused for all kinds of nefarious activity from various threat actors — for example, banking trojans, ransomware and botnets.

Today’s vulnerability assessment tools do a good job highlighting many more than these high-risk vulnerabilities. In aggregate, across an organization, they often measure tens of thousands of vulnerabilities that you have to figure out how to manage.

Prioritize the Patching of Vulnerabilities Being Exploited in the WildFirst, Let’s Review the Problem

The core tenet of information security is that it exists to preserve the confidentiality, integrity and availability of your company’s IT assets. A breach is arguably one of the clearest demonstrations of impact across all three of these tenets. The impact is real to individuals, organizations, clients and partners alike.

Gartner sees far too much focus on “exploits” and “malware,” rather than the underlying root causes, which are actually the vulnerabilities that are leveraged. Although not all breaches result from a vulnerability being exploited, most do, and within this majority, they come from known vulnerabilities, rather than “zero days.”

Figure 2 shows the history of vulnerabilities by severity during the past decade, and, with that, vulnerability management has the following realities:

• During the past decade, on average, approximately 8,000 vulnerabilities a year of various severity levels have been disclosed. Although there has been a slight rise, it is not significant, when you consider how much more software is active today versus a decade ago. In contrast, the amount of malware and other threats has increased exponentially.

• Organizations have to deal with the cumulative number of vulnerabilities. If your organization is still running older OSs and applications, there could easily be tens or hundreds of thousands of vulnerabilities in a range of technologies in your environment across every device in your environment.

• Not all vulnerabilities have patches. Some don’t have patches available for years after they’re publicly disclosed. Some vendors require commercial support to get patches; other systems and applications, such as SAP, are hard to patch. Some devices, such as embedded systems (e.g., OT equipment, tablets and phones), are also orphaned by manufacturers that don’t supply patches when they are available for newer versions.

• Although the Common Vulnerability Scoring System (CVSS) severity ranking is effective at ranking a vulnerability, it does not take into account (and nor should it) which vulnerabilities go on to be exploited in the wild and at what scale. During the past decade, on average, only about 12.5% of disclosed vulnerabilities have been exploited with public verification.

• The vulnerabilities ranked as “medium” tend to be the largest severity category of vulnerability disclosed, as well as exploited. These are vulnerability classes such as SQL injection (SQLi) and cross-site scripting (XSS).

• Attack path modeling and an understanding of the kill chain also highlight that vulnerabilities are often chained together — for example, local plus network-based combinations or ones of various severity levels. A recent example was the three zero days used that led to Apple releasing iOS v.9.3.5 (see “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days Used Against a UAE Human Rights Defender”).

9

Why This Is the Problem

Traditional logic states that you should patch in order of the severity of the vulnerability — for example, critical vulnerabilities first, then high, then medium and so forth. Although it would be great if we could patch everything, this is clearly not working, and, in fact, it’s not even possible for most organizations. We are far from a world in which this will be achievable. However, attack path modeling and an understanding of the cyber kill chain (see Addressing the Cyber Kill Chain) shows that, in reality, the most-effective approach is to focus on the vulnerabilities being exploited in the wild.

In Figure 3, we asked the data a simple, binary question: “How many vulnerabilities go on to be recorded as publicly exploited?” This clearly shows that, on average, only roughly one in eight (about 12.5%) of the vulnerabilities have gone on to be exploited in the wild during the entire past decade. Another point to note is that the number of exploited vulnerabilities over the decade is actually flat — it’s not getting worse. This is despite the number of breaches increasing, as well as the number of threats appearing. In short, more threats are leveraging the same small set of vulnerabilities.

However, pragmatically, if you could focus your efforts on patching (or have a compensating control) the vulnerabilities that are being exploited in the wild, then it would:

• Be an effective approach to risk mitigation and prevention

• Be a smaller number to deal with, which means more effort could be put into dealing with a smaller number of vulnerabilities for the greater benefit of your organization

For example, our analysis is that a CVSS ranked 5 vulnerability (e.g., a SQLi vulnerability that’s facing the internet from your DMZ that’s now actively being exploited in the wild) is a bigger concern than a DB2 vulnerability on an RS/6000 with a CVSS rank of 10 on an internal host with segmentation and other controls applied that’s never been exploited in the wild during the past four years.

Adversaries seem to have a basic formula that determines whether a vulnerability will go on to be exploited:

Source: Adopted From IBM X-Force/Analysis by Gartner Research (September 2016)

FIGURE 2 Publicly Disclosed Vulnerabilities (2006 to 2015)

10

• The number of targets available — Is it Adobe PDF on hundreds of millions or a billion endpoints, or is it OpenBSD? Clearly, an OpenBSD vulnerability is unlikely to see the “exploitation mainstream,” compared with a PDF vulnerability that affects all OSs on which it’s installed.

• Difficulty of exploitation — Some vulnerabilities may have a large installed base, such as Microsoft SQL server; however, the vulnerability may exist only in old versions or is, perhaps, not exploitable in the default configuration, or the exploit could be relatively complicated to develop or, perhaps, require authentication. Attackers prefer reliable and easily exploited vulnerabilities.

How Big Is the Zero-Day Problem

Gartner believes that the term “zero day” (sometime referred to as “0day”) has been corrupted in terms of its meaning and conflated in terms of how problematic it is to organizations. Vendors claim that net new samples of malware are actually zero day (see Figure 4), but forget to add to the end of this

that it’s actually just “new” malware variants that are exploiting the same vulnerabilities. This is being called out because, overwhelmingly, new malware variants are not using new zero-day vulnerabilities, but leveraging older (and known) vulnerabilities. Although the vendor claims may be theoretically correct (it is technically a new threat), what isn’t changing are the underlying vulnerabilities that are being exploited to gain a foothold in your organization. This is where there are clear examples of “not telling the whole truth,” because they are not actually “new” per se (or zero day), but are existing threats dressed up differently to appear “new” to technology that is geared toward detecting threats using signatures.

Zero day has also been conflated in terms of its actual risk to organizations as well. Are zero days real? Absolutely. Are they the “biggest” issue for most organizations, including government agencies. No. Figure 4 shows that, on average, vulnerabilities that are exploited at day zero (aka with no knowledge of the vendor or no prior remediation being available) are about 0.4% of total vulnerabilities each year during the past decade. This is like worrying about being attacked by a great white shark at the beach, but not worrying about the drive to the beach. Clearly,

Source: Adopted From IBM X-Force/Analysis by Gartner Research (September 2016)

FIGURE 3 The Number of Vulnerabilities That Have Been Exploited

11

Source: Adopted From IBM X-Force/Analysis by Gartner Research (September 2016)

FIGURE 4 The Zero-Day Problemed

Source: Adopted From IBM X-Force/Analysis by Gartner Research (September 2016)

FIGURE 5 How Long Does It Take During the Past Decade, on Average, for a Vulnerability to Be Exploited (in Days)

driving presents exponentially more risk than a shark attack in terms of the risk of a fatality. In essence, the amount spent on trying to detect zero days is out of kilter with the actual risks they pose, when compared with the massive numbers of breaches and infections that come from known vulnerabilities being repeatedly exploited.

Also, as an industry, we are becoming steadily better at detecting new zero-day vulnerabilities being exploited than we were five years ago. So, the chances of a zero day going unnoticed for long periods of time are decreasing. Vendors themselves paid for vulnerability acquisition programs (see Zero Day Initiative), and public/private bug bounty programs are also helping to proactively discover vulnerabilities, which are then responsibly disclosed.

12

Figure 5 shows that, on average, the time it has taken from a patch coming out to when an exploit appears in the wild has dropped from 45 days to 15 days during the past decade. This means that, if you can’t patch/remediate with your current IT operations processes within these time frames, then you need to plan to have a mitigation control. Mitigation options include intrusion preventions systems (IPSs), network segmentation, privileged identity management, application whitelisting (to name a few) to credibly apply “virtual patches” or other measures to shield or mitigate these at-risk assets from having vulnerabilities exploited on these hosts leading to a breach.

Taking a different view of this data also means that, if a vulnerability is not exploited in roughly the first 15 to 90 days of it being announced, it is then statistically quite rare (but still possible) that it will not be exploited in the wild. It would then fall into the roughly 87.5% of all vulnerabilities that are not exploited in the wild. This can also help an organization with its risk management and the prioritization of its IT security operations.

For all vulnerabilities that have been noted to have exploits available and then displayed by severity, Figure 6 shows that the “medium” ranked vulnerabilities have been exploited more often in aggregate. This is because there are more medium-ranked vulnerabilities in an organization’s network. Also, the other problem with these medium-

ranked issues, such as SQLi and XSS, is that they are rife in custom-developed applications that a large number of enterprises use to run critical processes. These custom web applications rarely get their own CVE and CVSS rankings. This data doesn’t take this into account, and it’s safe to say it’s a substantial number, based on the continuing feedback from penetration testers and other companies, such as HP Fortify, which report on what they find in custom web applications. This is another reason that guidance such the OWASP Top 10 is critical to pay attention to for applications you’re developing yourself.

What to Do About It

The answer is surprisingly simple to articulate and execute on. Overwhelmingly, threat actors are using old vulnerabilities to gain access to your organization. We recommend adjusting your IT operations priorities, so that you patch or remediate (or have a mitigating control) for the vulnerabilities that you have in your organization, which are being exploited in the wild, regardless of their severity. Figure 7 is a simple representation of this concept in terms of what you should be targeting. (See “Innovation Insight for Security Operations, Analytics and Reporting” for detail on providers — e.g., Core Security Technologies, Kenna Security, RiskSense, Skybox Security, NopSec and Qualys — that can assist.)

Source: IBM X-Force/Analysis by Gartner Research (September 2016)

FIGURE 6 Vulnerabilities That Have Been Exploited (by Severity)

13

What If I Can’t Patch, or There’s No Patch AvailableNot all vulnerabilities have remediation available from the vendor. Although small in number, zero days do occur, and need to be accounted for. Some systems have a runtime in your environment that’s longer than the vendor’s willingness to supply security patches, or you may not be in a position to pay for support for patches for some technologies. Finally, mission-critical systems that run your digital business cannot simply be made unavailable on an uncontrolled schedule. Therefore, a strategy to deal with these realities is required.

Multiple methods can help mitigate this issue, including application whitelisting, identity, access and privileged user monitoring.

Use IPS for Virtual Patching

Although it is a well-established technology, IPS technology has been tied intimately to vulnerabilities and preventing/detecting their exploitation since its inception approximately 20 years ago. Although there has been a shift

to collapse IPS at the perimeter for some organizations into their firewall or unified threat management system, in Gartner’s experience:

• Few organizations configure their IPSs correctly to protect the vulnerabilities most at risk of exploitation.

• Many organizations rely on substandard IPS technology in integrated security solutions,which are often detuned or even disabled, due to performance and false-positive issues.

• IPSs are not commonly deployed on the internal network (see Figure 8) around at-risk assets in the prevention (or even the detection) mode.

• Few organizations have deployed IPSs to handle increasingly virtualized environments.

• Few organizations have the same level of inspection for hybrid and public cloud workloads.

Source: Gartner (September 2016)

FIGURE 7 The Primary IT Security Risk to Manage to Prevent a Breach

Key Vulnerabilities to Be Worried

About

Vulnerabilitiesin Your

Environment

All DisclosedVulnerabilities

Exploited Vulnerabilities

14

Source: Gartner (September 2016)

FIGURE 8 Virtually Patching a Network

Case Study

Study No. 1: RansomwareIn this case study, we review more data on how Gartner’s vulnerability management theories can be practically applied. In this case, we review the impact of focusing on vulnerabilities being exploited in relation to web exploit kits and ransomware.

Ransomware has been a particularly pernicious threat during the past year. Using the approach presented so far around prioritizing exploited vulnerabilities, how would this apply to ransomware?

Gartner was able to work with Recorded Future in the first quarter of 2016 to get a list of all known families of ransomware. Then, for each family, we were able to get a list of all known vulnerabilities (by CVE) that have been seen or associated with these malware families. This provides a sound fact base for our proposition that only a small number of vulnerabilities are doing the damage (see Figure 9).

We do a lot of this

We don't do anywhere near enough of this

IPS/IDSKey ITAssetsEnd Users

Table 1 shows, by year, how many vulnerabilities have been associated with all known families of ransomware. As you can see from Figure 9 and from Table 1, this is a numbers game that is actually in our favor. Instead of going to IT operations teams with thousands of vulnerabilities that require treatment, going to them with a small and highly targeted list of vulnerabilities is a conversation that should result in far less friction between the two organizations. This is one of the leading reasons Gartner sees for why IT operations are pushing back against IT security teams, based on client inquiry.

In the interim, controls such as vulnerability assessment analytics can tell you which vulnerabilities fit into the category of “you have them, and they are being exploited” and where they are on your network. Subsequently, prevention technologies, such as IPS and others, can be used to ensure that the vulnerabilities being targeted have a credible compensating control.

15

Source: Recorded Future (September 2016)

FIGURE 9 Known Vulnerabilities Associated With All Ransomware Families (by Year)

Table 1 shows that, if you could patch or have a compensating control for only slightly more than 100 vulnerabilities (with the majority from 2013 through 2015), you could significantly reduce the risk of being affected by ransomware. These vulnerabilities are also heavily leveraged by other classes of threats and malware on top of ransomware as well.

Year Number of Vulnerabilities

2015 36

2014 33

2013 22

2016 9

2012 4

2010 2

2011 1

Total 107

Source: Recorded Future/Analysis: Gartner Research (August 2016)

Table 1. Number of Vulnerabilities Crypto-Ransomware Is Exploiting (by Year)

16

Source: Recorded Future (September 2016)

FIGURE 10 Ransomware Families and the Number of Vulnerabilities They Exploit

Source: Recorded Future/Analysis: Gartner Research (September 2016)

Figure 10 shows the ransomware family name and the number of vulnerabilities associated with that family. This means that, despite ransomware being a high-profile and destructive threat recently, when you look at it from a data-driven security perspective (regardless of the ransomware family), only a small number of vulnerabilities are being leveraged. These are the ones about which organizations should be concerned.

Rather than following stories about TeslaCrypt and Cryptolocker and asking “am I covered for CryptoWall,” organizations should focus on “how many hosts have CVE-xxxx-xxxx or CVE-xxxx-xxxx.”

In other words, you should be primarily addressing the vulnerabilities that the ransomware is exploiting. This is what effectively addressing a threat looks like from an organization’s point of view. Finding and addressing known vulnerabilities is what you can control. You can’t ever control the volume of malware.

Study No. 2: Exploit KitsIt is widely known that “exploit kits” have been a critical piece in malware delivery for some time (see Figure 11). This threat intelligence shows that malware is being delivered by only a small subset of vulnerabilities that are being heavily exploited and are, in general, a year or more older.

17

FIGURE 11 Exploit Kit Families and the Numbers of Vulnerabilities Associated With Them

Source: Recorded Future/Analysis: Gartner Research

There is not a significantly large number of exploit kits; however, they deliver a great deal of malware. Although the amount of “net new” malware is hundreds of millions a year, this is not the case for the exploit kits that are delivering most of this malware. The number of vulnerabilities they exploit is actually rather small as well (see Figure 12).

Study No. 3: Malware DataFor almost a decade, we have been in an “industrialized obfuscation” or “serial variant” era of malware. This is where malware can be changed only slightly or repacked, or have polymorphic properties, and it’s now counted as “net new” malware. This means the malware is not changing all that much within a family; however, there are often hundreds of thousands or many millions of samples of a family or style of malware. However, what isn’t changing is the number of vulnerabilities being leveraged to deliver the malware and other threats.

Put simply, a significant number of attacks are being generated, using tools that are for sale or are off-the-shelf in nature. By monitoring which vulnerabilities are being leveraged by these tools, accessing other sources of threat intelligence and then actioning that, you can reduce the risk of a breach significantly.

Statistically speaking, this a good news story for us. Why?

This means that, if every year for the past 10 years you patched these roughly 50 to 300 vulnerabilities that were exploited in the wild, then you would be helping to prevent exposure to hundreds of millions, if not billions, of samples of malware and other threats. As you can see, the ratio of patch versus threats leveraging vulnerabilities is exponentially higher today than it was a decade ago. It sounds counterintuitive,

18

Year Net New Samples of Malware

2006 140,690

2007 624,267

2008 1,656,227

2009 2,361,414

2010 286,000,000

2011 403,816,909

2012 430,625,138

2013 251,789,458

2014 317,256,956

2015 431,000,000

Source: Symantec (September 2016)

Table 2. The Exponential Growth of Malware

but this is a good thing. Despite all the doom and gloom from some vendors’ marketing machines, this is a statistic that is actually heavily in our favor.

Large swaths of vendors have entirely missed this data point and continue to articulate the message of “look how many threats there are.” If you can get the data and quantitatively analyze it, then the problem statement actually is “look at how many threats are still leveraging a small number of vulnerabilities.”

Evidence

Gartner has tried to apply quantitative analysis techniques for this research. However, like all data analysis, the dataset may have missing pieces. The analysis of the data may be incorrect, and the analysis may exhibit bias. Having said that, in aggregate, Gartner checked the findings with the vendors prior to using this data. We believe the analyses are authoritative enough that the findings represent real value to end-user organizations.

The datasets used either directly in presentations, print or used generally for this research were:

• IBM X-Force — Gartner received a large dataset containing more than 1.2 million artifacts of every vulnerability from 2006 to 2015, including publicly available data, such as the CVE number and metadata on patching dates — patches, vendors, vendor products, CWE details and whether the vulnerabilities were recorded as actually being exploited.

• Recorded Future — In late April 2016, Gartner received data containing all known exploit kits and, for each exploit kit, which vulnerabilities have been associated with them. We also received a list of all known families of ransomware — for each family, which specific vulnerabilities have been associated with it.

• Symantec malware statistics provided by Symantec research, and also obtained from its ISTR reports.

19

• Verizon DBIR reports, as well as the VERIS dataset from GitHub.

• The data breach data from the Privacy Rights Clearinghouse.

Other external sources pointing to vulnerability prioritization and other helpful links related to this research:

• Common Vulnerabilities and Exposures

• Common Vulnerability Scoring System, V3 Development Update

• U.S. Computer Emergency Readiness Team

• A New Way of Looking at Vulnerabilities in Your Environment

• Gone in a Flash: Top 10 Vulnerabilities Used by Exploit Kits

• 2016 Internet Security Threat Report

• Tools of the Trade: Exploit Kits

• 2015 State of Vulnerability Risk Management

Source: Gartner Research Note G00271721, Greg Young, 28 July 2016

20

About Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. All our products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and control, enabling better, faster protection. With over 5,000 employees in over 50 countries and the world’s most advanced global threat intelligence, Trend Micro enables organizations to secure their journey to the cloud. For more information, visit www.trendmicro.com.

For more information on Trend Micro TippingPoint solutions, please visit www.trendmicro.com/tippingpoint.

Prioritize and Remediate Active Vulnerabilities Impacting Your Network is published by Trend Micro. Editorial content supplied by Trend Micro is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2017 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Trend Micro’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.