When Too Much Vulnerability Intelligence is a Bad Thing

When you’re scouring for application vulnerabilities and trying to keep up with all the latest issues, good vulnerability intelligence is essential. You need expert advice and insight to understand your level of exposure so you can patch vulnerabilities before they’re exploited.

But that’s not to say that all vulnerability intelligence is good. In fact, it’s information overload that’s most likely to get in your way to quick, effective patching.

You’re probably using a large number of different applications. They come from different vendors, and have different mechanisms for patching and deployment.

And what you need is timely, actionable intelligence that relates to the applications you’re using. Not the clutter and chaos of alerts, advisories, and reports that relate to applications you’re not using.

TMI (Too Much Information)

Most security companies issue advisories for specific incidents and vulnerabilities. They put everything related to a vulnerability in the same place. But that’s not very practical.

Because, really, who cares about everything related to a vulnerability? You only care about the parts that could affect you.

Take the Heartbleed vulnerability, disclosed in April 2014. Affecting the cryptography that was the bedrock of data security, it was an issue that everyone in the world of IT wanted to keep up to date with.

So, most security companies issued a detailed advisory. A huge document that covered so many different applications that finding the important parts was a challenge.

And every time it was updated? Another alert to notify you. About a change that’s probably not relevant to your business.

A different approach is needed – not with one all-encompassing advisory, but with 210 smaller ones, each related to a specific application. So the only alerts are ones that are relevant. And the only advisories are small, easy to understand, and practical.

The extensive, detailed intelligence on every aspect of Heartbleed and every application it affected was still there. But a more intelligent delivery model helped customers avoid the parts that didn’t matter to them.

Application patches are more important than application vulnerabilities

As well as long advisories that cover a huge number of different applications, other security providers tend to write advisories on a per CVE number basis. For each vulnerability that is disclosed, there’s a new alert and a new advisory to read.

In some ways, it’s the approach you’d expect. You want to know about every vulnerability. But there’s a bigger priority to consider. You want to know how to fix things.

When advisories are issued for every CVE number, you may end up reading the same material again and again. After all, there’s a good chance that a number of different vulnerabilities are all fixed with a single patch.

Use a patch management vendor that issues a single advisory covering all the CVEs that are fixed with the same action. No repetition. No reading a long account of an issue, only to find that you’ve already applied the relevant patch.

Just practical answers. And no more irrelevant vulnerability intelligence.

Written by