Type to search

en
The Importance Of Understanding Vulnerability Management Frameworks To Prioritize Security Responses Innovation

The Importance Of Understanding Vulnerability Management Frameworks To Prioritize Security Responses

JP oversees the Research and Innovation teams that keep Onapsis on the cutting-edge of the business-critical application security market.

Lock Icon cyber security of digital data network protection.

getty

The world runs on enterprise resource planning (ERP) applications. It might sound like an overly bold statement, but let’s look at how much ERP applications impact our daily lives.

Focusing on SAP, the market leader in ERP, its customers alone generate 87% of total global commerce—amounting to roughly $46 trillion—and consist of 99 of the world’s 100 largest companies.

With those statistics in mind, some of the biggest organizations in the world that impact us depend entirely on ERP applications to operate and serve people. Over time, these applications became a core part of their mission-critical systems as they quite literally support their mission.

These applications are of vital importance, but when it comes to security, how can we properly prioritize investment in ERP applications when there are so many other things to consider? Below are a few different standards and mechanisms to do that.

Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) provides the technical severity of a vulnerability while threat intelligence sources give us information on what is actively being used by threat actors and how. The Onapsis Research Labs, for example, provide the latter to customers as well as the public by working with global CERT(s) when there are risks that need to be addressed with higher priority.

But with all these mechanisms, is there a standard that can help put it all together and make a prioritization decision?

Stakeholder-Specific Vulnerability Categorization Guide

Recently, the U.S Cybersecurity and Infrastructure Security Agency (CISA) released the Stakeholder-Specific Vulnerability Categorization (SSVC) Guide, which is “a customized decision tree model that assists in prioritizing vulnerability response” and can be used as a standard to prioritize how to respond to the different security vulnerabilities that a company might be affected by.

The importance of this tool is that it considers the context to make a prioritization decision, so while CVSS provides a level of technical impact, that becomes just one part of the SSVC decision tree. This decision tree is heavily influenced by the exploitation component, including if a vulnerability is actively being exploited or if it is “automatable.”

This decision tree model effectively considers many aspects of the current state of security vulnerabilities to help make a response decision—more concretely when to patch or apply mitigation to the vulnerability. The SSVC considers the following elements.

• Action (when to remediate).

• Track (within standard update timelines).

• Attend (sooner than standard update timelines).

• Act (as soon as possible).

When we tie this back to the subject of ERP applications, the SSVC is also applicable to vulnerabilities that affect these types of applications, though it has a very interesting component as part of its decision tree called “mission and well-being.” This considers the following two aspects.

• Impact on mission essential functions of relevant entities. (How related is the vulnerable component to delivering the mission?)

• Impacts of affected system compromise on humans. (How related is the vulnerable component to having an impact on public well-being?)

While the impact on public well-being is dependent on the type of organization and how technology is being used to deliver its mission, the impact on mission essential functions can be simpler to categorize. This is especially true when referring to business-critical applications, as those are essential to delivering the mission for most organizations. And as the component of “mission and well-being” is effectively considering the highest of its two components, then we can safely assume that for the purpose of the SSVC, its impact on “mission and well-being” will always be high when referring to business-critical applications.

A Simplified Tree For Business-Critical Applications

When talking about business-critical applications, this effectively simplifies the decision tree. With the simplified tree, most scenarios will land either in the “Act” or “Attend” category, as mentioned above, both of which align with CISA recommendations for immediate patching. For the other three scenarios, the recommendation is to stick to standard patching timelines.

What this tells us is that business-critical applications require special attention when it comes to security and vulnerabilities. By having sufficient context around potential vulnerabilities within an organization, security teams are equipped to respond appropriately.

The SSVC provides a good example of frameworks for helping organizations prioritize responses to vulnerabilities when presented, but ultimately, the importance of security for business applications needs to remain a top consideration before a vulnerability arises.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Next Article
Luxury Italian Speaker Maker Unveils Its New Homage Speakers
Next Article
ChatGPT Is Coming To Video Games, God Help Us All