Computer security and vulnerability is a constantly evolving field and given vulnerability status information for some assets, the system and method herein predicts the probability of other, similar assets being open to vulnerability.
In large interconnected networks, electronic attacks may originate at one place and propagate rapidly across a company's programs and systems. Such attacks and propagation are successful because the systems have vulnerabilities in them that have either not been detected or have not been remediated, and also the systems are usually connected, which leads to widespread damage.
To protect computer systems, organizations conduct vulnerability assessments and carry out threat monitoring. Vulnerability assessment looks for potential security weaknesses in a computer system by using a variety of vulnerability scanning system tools and methods. The makers of software (operating systems, business software, etc., hereafter referred to as “platforms”) disclose vulnerabilities organized through an industry-wide accepted system from the Common Vulnerabilities Enumeration (CVE) repository, maintained by NIST/MITRE, in which vulnerability is scored using the Common Vulnerability Scoring System (CVSS).
For every disclosed vulnerability, the original maker of the corresponding software distributes a patch, which is a software update that closes the vulnerability. Organizations need to apply such patches to their assets to close the vulnerability.
Another aspect of security management is threat monitoring. Threat monitoring is carried out by tools such as intrusion detection systems, web application firewalls, log analysis systems or security information and event management (SIEM) products. Threat monitoring detects computer attacks and abuses carried by computer users or automated software.
To have effective security, organizations aim to integrate their threat monitoring data with vulnerability assessment data. The data from vulnerability assessment indicates whether an open vulnerability on the computer system exists that can be exploited by an attacker. When the threat monitoring system detects a threat on that computer system, it can correlate the threats with the existence (or lack thereof) of a corresponding open vulnerability and can determine whether the attack is likely to succeed or not. Currently, security systems such as SIEM have the capabilities to correlate such data once the vulnerability data and threat data are given as input to SIEM.
In any large network, however, the vulnerability data is not always present for all computer systems in the network. This is due to the fact that large networks cannot afford to test for all vulnerabilities across all of their systems at all times to avoid overload on networks and the cost and effort involved in such exercises can be limiting. Vulnerability testing is therefore carried out in periodic time frames that usually correlate to network downtime, and at each period it is done only for a part of the network on a sample basis. So, at any given point in time for a particular computer system, either there will be no data about its vulnerable state or that data will be of some past test schedule and will not reflect the current vulnerability state. Without the current vulnerability data, it can be impossible to make an assessment of the impact of the threat seen from the threat monitoring system. Consequently, security administrators are overburdened with volume of threat data that cannot be prioritized or filtered out due to lack of data on the vulnerability of the systems.
The lack of current vulnerability data also affects an organization's ability to know their overall vulnerability status at any given point in time. Organizations can view the vulnerability data as provided by the last tests for an asset, but that information does not provide the status of all assets at the current time.