Rethinking Remediation SLAs: Measuring Exploit Exposure Reduction Under Severity-Based and Risk-Based Vulnerability Prioritization Models

Authors

  • Mohit Bansal

Keywords:

SLA, Risk, Remediation, Vulnerability.

Abstract

Managing very large IT estates imposes a permanent and, in many ways, unanswered question on organizations: what vulnerabilities should be patched first and within what time. The most important tool that security teams translate answers to that question is Remediation Service Level Agreements (SLAs). Most level your SLAs are pegged on the severity score based on the Common Vulnerability Scoring System (CVSS) with a critical finding needing to be addressed within is required to be addressed within, say, 15 days and a high within 30 days. The reasoning is very simple. The results are none. Severity-based SLAs assume vulnerabilities are a static object that is only defined by intrinsic technical qualities, whereas actual exploit activity is influenced by the behavior of the attacker, exposure of assets and the environment. This paper explores the differences between the severity-based and risk-based prioritization models, in terms of measurable contribution to the reduction of the exposure to exploits. There are three quantitative and qualitative tables that compare model outputs, SLA compliance rates as well as the remediation outcomes. There are four markers indicating where empirical data visualization is going to be displayed. The key metrics of Total Vulnerability Exposure (TVE) and Exploit Exposure Reduction Rate (E handful of measures) are formalized using two equations and applied in the course of the analysis. The results indicate that, risk-based models continuously take on better exposure reduction per unit amount of remediation effort, especially where the organizations have limited resources that prevent software patching on a large scale.

Downloads

Download data is not yet available.

References

Alperin, K., Wollaber, A., Ross, D., Trepagnier, P., & Leonard, L. (2019). Risk Prioritization by Leveraging Latent Vulnerability Features in a Contested Environment. Risk Prioritization by Leveraging Latent Vulnerability Features in a Contested Environment, 49–57. https://doi.org/10.1145/3338501.3357365

Croft, R., Babar, M. A., & Li, L. (2021). An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources. arXiv (Cornell University). https://doi.org/10.48550/arxiv.2112.10356

Farris, K. A., Shah, A., Cybenko, G., Ganesan, R., & Jajodia, S. (2018). VULCON. ACM Transactions on Privacy and Security, 21(4), 1–28. https://doi.org/10.1145/3196884

Mehri, V. A., Arlos, P., & Casalicchio, E. (2022). Automated Context-Aware Vulnerability Risk Management for patch prioritization. Electronics, 11(21), 3580. https://doi.org/10.3390/electronics11213580

Olswang, A., Gonda, T., Puzis, R., Shani, G., Shapira, B., & Tractinsky, N. (2022). Prioritizing vulnerability patches in large networks. Expert Systems With Applications, 193, 116467. https://doi.org/10.1016/j.eswa.2021.116467

Roytman, M., & Jacobs, J. (2019). The complexity of prioritising patching. Network Security, 2019(7), 6–9. https://doi.org/10.1016/s1353-4858(19)30082-0

Shah, A., Farris, K. A., Ganesan, R., & Jajodia, S. (2019). Vulnerability selection for Remediation: An Empirical analysis. The Journal of Defense Modeling and Simulation Applications Methodology Technology, 19(1), 13–22. https://doi.org/10.1177/1548512919874129

Spring, J. M., Hatleback, E., Householder, A., Manion, A., Shick, D., & SOFTWARE ENGINEERING INSTITUTE, CARNEGIE MELLON UNIVERSITY. (2019). PRIORITIZING VULNERABILITY RESPONSE: A STAKEHOLDER-SPECIFIC VULNERABILITY CATEGORIZATION. https://www.sei.cmu.edu/documents/583/2019_019_001_636391.pdf

Walkowski, M., Oko, J., & Sujecki, S. (2021). Vulnerability management models using a common vulnerability scoring system. Applied Sciences, 11(18), 8735. https://doi.org/10.3390/app11188735

Yadav, G., Gauravaram, P., Jindal, A. K., & Paul, K. (2022). SmartPatch: A patch prioritization framework. Computers in Industry, 137, 103595. https://doi.org/10.1016/j.compind.2021.103595

Zeng, Z., Yang, Z., Huang, D., & Chung, C. (2021). LICALITY—Likelihood and criticality: vulnerability risk prioritization through logical reasoning and deep learning. IEEE Transactions on Network and Service Management, 19(2), 1746–1760. https://doi.org/10.1109/tnsm.2021.3133811

Downloads

Published

31.05.2023

How to Cite

Mohit Bansal. (2023). Rethinking Remediation SLAs: Measuring Exploit Exposure Reduction Under Severity-Based and Risk-Based Vulnerability Prioritization Models . International Journal of Intelligent Systems and Applications in Engineering, 11(6s), 977 –. Retrieved from https://ijisae.org/index.php/IJISAE/article/view/8384

Issue

Vol. 11 No. 6s (2023)

Section

Research Article

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.

IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.