PRIOn is a cyber startup company focusing on vulnerability management.
It was founded in May by three people, Andreas, Fanis and George. Currently, it is based in Athens, Greece.It was obvious to us, due to our history in the cybersecurity and IT fields respectively, that vulnerability management has a long history of pain points. We have experienced a lot of those pain points when we were engaged in hundreds of vulnerability and penetration testing assessments with our customers in the past. The pattern of a vulnerability assessment is always the same. The customer provides a list of IP/FQDNs. An assessor runs a vulnerability scanner (if this is the case), which produces a list of vulnerabilities. A packed report is prepared and communicated back to the customer. The recipient communicates and utilizes their internal team(s) to assess those identified vulnerabilities, a manual triage process, which requires a lot of effort and time. Internal teams try to understand the criticality of those vulnerabilities and prepare a remediation plan. The remediation plan is communicated to the “right” owners/people, hopefully, such as IT, SecOps, DevOps etc. Most of the times, the remediation plan is communicated mainly in the form of multiple xls sheets via an email for further actions (remediation phase). According to the public report “costs and consequences of gaps in vulnerability response” by ServiceNow and Ponemon institute, the average hours spent for preventing, detecting and remediating vulnerabilities is 443 each week for the year 2019. The current vulnerability management workflow is problematic, due to the following main pain points:
- “Patch everything” and “everything is critical” is something that does not work nowadays, actually it never worked.
- Large set of vulnerabilities are discovered DoD/MoM/YoY. We believe that this is awesome, from a security researcher point of view, as it is a good sign of maturity for the cyber security community, however, it is evident that few of them have been published as a Proof of Concept or a working exploit and very few of those are actually weaponised (exploited in the wild) by threat actors.
- Morpheus in the Matrix quotes “Time is always against us”, which is true, as it is impossible to keep up with all those vulnerabilities.
- Digital presence has increased. Modern environments, i.e. Cloud/PaaS/SaaS/IoT, in conjunction with traditional environments i.e. Network/Application, including legacy systems, produce more vulnerabilities which need to be tackled, as new methodologies and tools are required, at least for the modern environments. The mixture of this complex cyber ecosystem (old vs. new) produces more vulnerabilities to keep up with.
- We love CVSS, however it is used, by tools/people, as a “RISK” scoring metric, which is not the case, as CVSS measures the SEVERITY of the vulnerability and not the actual RISK of the vulnerability per environment. It is often used as the only metric for patch prioritization in general.
- The culture “fix critical & high vulnerabilities only” leads to false sense of security. Adversaries weaponise vulnerabilities with LOW/MEDIUM severity as well i.e. the infamous CloudMensis malware which took advantage of the CVE-2020-9934 (CVSSv2: 2.1 (Low) and CVSSv3: 5.5 (Medium)) input validation vulnerability. The malware uses multiple (at least two) techniques to bypass the macOS Transparency, Consent, and Control (TCC) Framework, so adversaries can gain unauthorized access to sensitive user data.
- Context is one of the most important missing puzzles in the equation of vulnerability management. Contextualized intelligence in correlation with asset information and data mining from unstructured data, could enable an enterprise to prioritize vulnerabilities that pose the most immediate risk to the environment. A poor context generates poor storytelling, a consequence of this outcome is that internal teams (IT, SecOps, DevOps), most of the time, do not understand the risk and the nature of a threat in general.
- A centralized focal point is missing from vulnerability management where teams such as security, IT, executive managers, can monitor the progress (Key Performance Indicators) of the remediation actions.