`
`I IIIII IIIIIIII
`
`
`
`IIIII 111111 IIII
`
`USOO9692778B1
`
`(12) United States Patent
`(12) United States Patent
`Mohanty
`Mohanty
`
`(10) Patent No.:
`(10) Patent No.:
`(45) Date of Patent:
`(45) Date of Patent:
`
`US 9,692,778 B1
`US 9,692.778 B1
`Jun. 27, 2017
`Jun. 27, 2017
`
`(54) METHOD AND SYSTEM TO PRIORITIZE
`METHOD AND SYSTEM TO PRIORITIZE
`(54)
`VULNERABILITIES BASED ON
`VULNERABILITIES BASED ON
`CONTEXTUAL CORRELATION
`CONTEXTUAL CORRELATION
`
`(71) Applicant: Symantec Corporation, Mountain
`Applicant: Symantec Corporation, Mountain
`(71)
`View, CA (US)
`View, CA (US)
`(72) Inventor: Shubhabrata Mohanty, Pune (IN)
`Inventor: Shubhabrata Mohanty, Pune (IN)
`(72)
`(73) Assignee: Symantec Corporation, Mountain
`Assignee: Symantec Corporation, Mountain
`(73)
`View, CA (US)
`View, CA (US)
`Subject to any disclaimer, the term of this
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`U.S.C. 154(b) by 0 days.
`
`(*) Notice:
`Notice:
`* )
`
`(21) Appl. No.: 14/538,599
`Appl. No.: 14/538,599
`(21)
`
`(22) Filed:
`Filed:
`(22)
`
`Nov. 11, 2014
`Nov. 11, 2014
`
`(51) Int. Cl.
`Int. Cl.
`(51)
`H04L 29/06
`H04L 29/06
`G06F 9/455
`G06F 9/455
`(52) U.S. Cl.
`U.S. Cl.
`(52)
`CPC ...... H04L 63/1433 (2013.01); G06F 9/45533
`H04L 63/1433 (2013.01); G06F 9/45533
`CPC
`(2013.01)
`(2013.01)
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`(58) Field of Classification Search
`Field of Classification Search
`(58)
`CPC ......................... H04L 63/1433; G06F 9/45533
`CPC
`H04L 63/1433; G06F 9/45533
`See application file for complete search history.
`See application file for complete search history.
`
`(56)
`(56)
`
`References Cited
`References Cited
`
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`
` G06F 21/577
`2009/0077666 Al * 3/2009 Chen
`2009 OO77666 A1* 3, 2009 Chen ..................... GO6F 21,577
`726/25
`726/25
`2013/019 1919 A1* 7/2013 Basavapatna ......... GO6F 21,577
`2013/0191919 Al * 7/2013 Basavapatna
` G06F 21/577
`726/25
`726/25
`
`H04L 63/20
`7/2014 Amsler
`2014/0201836 Al *
`2014/02O1836 A1* 7, 2014 Amsler ................... HO4L 63.20
`726/23
`8, 2014 Sanz Hernando ...... Goof'55
`2014/0223555 A1
`G06F 21/55
`8/2014 Sanz Hernando
`2014/0223555 Al *
`726/22
`726/22
`2/2015 Lee
`H04L 63/1433
`2/2015 Lee ..................... HO4L 63/1433
`726/25
`726/25
`
`2015/0040228 Al *
`2015,0040228 A1
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`
`Mell et al., (The Common Vulnerability Scoring System (CVSS)
`Mell et al., (The Common Vulnerability Scoring System (CVSS)
`and Its Applicability to Federal Agency Systems, NIST Interagency
`and Its Applicability to Federal Agency Systems, NIST Interagency
`Report 7435, Aug. 2007, 33 pages).*
`Report 7435, Aug. 2007, 33 pages).*
`Quinn et al. "Guide to Adopting and Using the Security Content
`Quinn et al. "Guide to Adopting and Using the Security Content
`Automation Protocol (SCAP) Version 1.0”, NIST Special Publica
`Automation Protocol (SCAP) Version 1.0", NIST Special Publica-
`tion 800-117, Jul. 2010, 26 pages.*
`tion 800-117, Jul. 2010, 26 pages.*
`* cited by examiner
`* cited by examiner
`Primary Examiner — Saleh Naijar
`Primary Examiner — Saleh Najjar
`Assistant Examiner — Oleg Korsak
`Assistant Examiner — Oleg Korsak
`(74) Attorney, Agent, or Firm — Maschoff Brennan
`(74) Attorney, Agent, or Firm — Maschoff Brennan
`(57)
`ABSTRACT
`(57)
`ABSTRACT
`A method for prioritizing vulnerabilities of an asset in a
`A method for prioritizing vulnerabilities of an asset in a
`virtual computing environment is provided. The method
`virtual computing environment is provided. The method
`includes determining a Vulnerability score for the asset,
`includes determining a vulnerability score for the asset,
`based on at least one of a base vulnerability score or a
`based on at least one of a base vulnerability score or a
`temporal Vulnerability score and receiving information
`temporal vulnerability score and receiving information
`about a threat. The method includes correlating the infor
`about a threat. The method includes correlating the infor-
`mation about the threat with information about the open
`mation about the threat with information about the open
`Vulnerabilities on the asset and also about the asset to
`vulnerabilities on the asset and also about the asset to
`determine a threat score for the asset and determining a
`determine a threat score for the asset and determining a
`contextual score for the asset based on at least one tag of the
`contextual score for the asset based on at least one tag of the
`asset. The method includes deriving a prioritization score for
`asset. The method includes deriving a prioritization score for
`the asset, the prioritization score a combination of the
`the asset, the prioritization score a combination of the
`Vulnerability score, the threat score and the contextual score,
`vulnerability score, the threat score and the contextual score,
`wherein at least one method action is performed by a
`wherein at least one method action is performed by a
`processor.
`processor.
`
`20 Claims, 5 Drawing Sheets
`20 Claims, 5 Drawing Sheets
`
`104-N
`104
`
`102 1
`102
`
`106
`106
`
`
`
`
`
`Tags Category
`Tags Category
`and
`and
`Operational Tags
`Operational
`
`Workload Contex
`Workload Context
`
`Dynamic
`Dy namic
`Security Tags(Like
`Security Tags(Like
`in Vmware
`in Vmware
`Reported by Various
`Reported by Various
`Point Products)
`Point Products)
`
`108
`
`
`
`
`
`Dynamic Info/
`Dynamic Info/
`Security
`Security
`Events
`Events
`
`
`
`WIZ, Inc. EXHIBIT - 1075
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1075
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 1 of 5
`
`US 9,692,778 B1
`
`104
`
`102- _
`
`X106
`
`Tags Category
`and
`Operational Tags
`
`Workload Context
`
`/
`Dynamic
`Security Tags(Like
`in Vmware
`Reported by Various
`Point Products)
`
`108y
`
`Dynamic Info/
`Security
`Events
`
`FIG. 1
`
`

`

`lualud °S11
`
`LJOZ `Lz 'unf
`
`S Jo Z PolIS
`
`Ill 8LL`Z69% Sfl
`
`Contextual Prioritization
`for Remediation
`• Vulnerability
`• Priority
`•
`Impact
`• Possible Exploitations
`• xxxx
`• xxxx
`
`FIG. 2
`
`2)0
`
`Threat Info y-208
`• Impact
`• Target Os
`• Target Apps
`• Attack Info
`• CVE ID
`Scanned Vulnerability Data by
`• Severity
`VA Scanner (Qualys, Rapid7)
`Vulnerability
`Score
`212
`
`220
`
`214
`Threat Score
`
`Contextual Correlation
`
`218-\
`
`• CVE ID
`• CVSS Score-N
`'222
`• Severity
`• Exploitability
`
`224
`226-
`228-
`
`Contextual
`Score
`216
`202
`
`Prioritization
`Score
`Tags (Static and Security)
`in Virtual Environment Like VMware Tags
`Workload Context\ - 102
`Tags Category
`• Sensitive Data
`• Critical Servers
`• Web
`Security Tags
`• Virus Found
`• Intrusion Detected
`Dynamic Info Such
`as Date Transferred.
`
`1204
`
`1206
`
`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 2 of 5
`
`US 9,692,778 B1
`
`
`
`fr
`
`‘
`
`Contextual Prioritization
`for Remediation
`Vulnerability
`Priority
`Impact
`Possible Exploitations
`XXXX
`XXXX
`
`
`
`
`
`
`
`~
`
`FIG. 2
`
`。Target Os
`YJ ‧ Target Apps
`210
`/
`* Attack Info
` |* QVE'D
`Scanned Vulnerability Databy
`上 Severity
`VA Scanner (Qualys, Rapid7)
`Vulnerability
`Score
`212~
`
`
`
`
`
`
`
`Threat Score
`
`Contextual Correlation
`
`218~
`
`
`
`
`
`
`
`
`Severity
`Exploitability
`
`
`
`922
`
`Contextual
`
`Sone
`202
`
`
`
`Prioritization
`Score
`Tags (Static and Security)
`in Virtual Environment Like VMware Tags
`
`
`
`
`
`224
`226
`228
`
`LZ Workload Context > 10
`Tags Category
`Sensitive Data
`‧
`Critical Servers
`。
`‧ Web
`Security Tags
`Virus Found
`。
`Intrusion Detected
`‧
`Dynamic Info Such
`as Date Transferred.
`
`704
`
`206
`
`
`
`
`

`

`lualud °S11
`
`LJOZ `Lz 'unf
`
`S Jo £ Pails
`
`Ill 8LL`Z69% Sfl
`
`( -316
`Threat Intelligence
`System
`r 208
`Threat Information
`
`f202-\
`
`y-202
`
`y --202
`
` y-202
`
`322
`
` ( _
`
`•
`o
`
` K_
` K_
`
`•
`
`302--
`Computing Device
`304 --
`
`Processor
`
`306-
`Vulnerability Module
`308-
`Threat Module
`310-
`Contextual Module
`3121
`Prioritization Module
`326.-
`Remediation Module
`
`212-
`Vulnerability Score
`2141
`Threat Score
`216-
`Contextual Score
`
`210-
`
`Vulnerability Data
`220-
`
`CVE ID
`
`222 ---N
`CVSS Score
`
`3141
`Scanner
`
`34
`318-
`Virtual Machine
`3181
`Virtual Machine
`320--
`Virtual Application
`20-.
`Virtual Application
`228
`Physical Computing
`Resources
`
`•
`
`224
`
`218-\
`Prioritization Score
`
`FIG. 3
`
`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 3 of 5
`
`US 9,692,778 B1
`
`
`
`
`
`
`
`210~
`Vulnerability Data
`220
`
`
`
`CVE ID
`
`
`
`
`
`222~~
`
`
`
`
`
`3144
`
`
`
`
`
`_c316
`Threat Intelligence
`System
`Scanner
`y
`
`7208
`
`<— Threat Information
`
`
`
`
`
`
`
`302、
`Computing Device
`304~
`Processor
`306~,
`Vulnerability Module
`
`
`
`
`
`
`308~
`< 一
`CVSS Score
`
`
`Threat Module
`310~
`/
`Contextual Module
`318~
`324
`
`312、
`( [_Virtual Machine
`Prioritization Module
`318:
` 一 202
`3z0
`Virtual Machine
`Remediation Module
`320~
`Virtual Application
`
`322
`
`U7 202
`
` bab
`
`一 202
`
`一 202
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`224<
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`:
`320~
`
`
`\ | Virtual Application
`212~
`Vulnerability Score
`228、 个
`
`214~
`\ 218~
`Physical Computing
`Threat Score
`Prioritization Score
`Resources
`
`
`
`216~
`"
`Contextual Score
`
`FIG.
`
`3
`
`

`

`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 4 of 5
`
`US 9,692,778 B1
`
`402
`
`404
`
`Determine vulnerability score for asset
`
` F_
`
`Obtain threat information
`
`406
`Correlate open vulnerability information with threat
`408
`
`Determine threat score for asset
`
`410-
`Correlate vulnerability data and tag information
`412-
`
`Determine contextual score for asset
`
`414-
`Determine prioritization score for asset based on
`vulnerability score, threat score, contextual score
`
`416
`
`Prioritization
`score meets threshold
`?
`
`418-
`
`420
`
`Yes
`•
`Determine remediation for asset
`
`Apply remediation for asset
`
`FIG. 4
`
`

`

`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 5 of 5
`
`US 9,692,778 B1
`
`i 501
`
`r 503
`
`CPU
`
`Memory
`
`505
`
`BUS
`
`z)-- 507
`
`509
`
`Input/Output
`Device
`
`Mass
`Storage
`
`511
`
`Fig. 5
`
`Display
`
`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 5 of 5
`
`US 9,692,778 B1
`
`
`
`全 501
`
`
`信 503
`
`
`CPU
`
`
`
`
`
`Memory
`
`
`
`
`
`S 509
`
`
`
`入 507
`
`
`
`Input/Output
`Device
`
`
`
`
`
`Mass
`Storage
`
`
`
`
`人 511
`
`Display
`
`
`
`
`
`Fig. 5
`
`{~ 505
`Zz
`
`
`BUS
`
`
`
`
`
`
`
`
`

`

`US 9,692,778 B1
`
`1
`METHOD AND SYSTEM TO PRIORITIZE
`VULNERABILITIES BASED ON
`CONTEXTUAL CORRELATION
`
`BACKGROUND
`
`Virtualization has redefined how IT ops (information
`technology operations) build and deliver assets in a virtu-
`alized environment, where virtual machines or virtual appli-
`cations (apps) go online or offline, or change zones dynami-
`cally within minutes or hours. Traditional Vulnerability
`Assessment (VA) products which scan machines to report
`vulnerabilities have difficulties in a virtualized environment.
`A snapshot of a vulnerability assessment report of a system
`provided in the past becomes obsolete within hours or
`minutes as virtual machines or workloads change positions
`within a virtualized environment. Consequently, in virtual-
`ized environments, any risks, threat exposures or known
`vulnerabilities are constantly changing. A security opera-
`tions team needs a strong and continuous prioritization
`system to track critical vulnerabilities and take actions as
`changes occur.
`Vulnerability assessment products scan systems on
`demand and report a list of known vulnerabilities in the form
`of a CVSS (common vulnerability scoring system) score.
`With workloads constantly changing their positions, the
`same set of vulnerabilities changes the exploitability surface
`as well. The challenges presented include how to interpret
`hundreds of vulnerabilities reported by these VA products
`and how to identify specific vulnerabilities that truly repre-
`sent a clear and present risk to security. The CVSS score (as
`either a Base CVSS score or a Temporal CVSS score) does
`not consider the environment-specific characteristics of the
`customer or the workload distribution and the threats that
`can exploit them based on the positioning of the workload.
`The CVSS Base or Temporal score only contains a CIA
`(confidentiality, integrity, availability) score and access vec-
`tors to derive the importance of the information, but is not
`sufficient in a dynamic environment such as in virtualization
`space. A CVSS score alone does not necessarily provide
`sufficient information for effective remediation prioritiza-
`tion.
`It is within this context that the embodiments arise.
`
`SUMMARY
`
`In some embodiments, a method for prioritizing vulner-
`abilities of an asset in a virtual computing environment is
`provided. The method includes determining a vulnerability
`prioritization score for the asset, based on at least one of a
`base vulnerability score or a temporal vulnerability score,
`deriving virtual workload context and receiving information
`about a threat. The method includes correlating the infor-
`mation about the threat with information about the asset to
`determine a threat score for the asset and determining a
`contextual score for the asset based on virtual workload
`context in turn is based on multiple tags of the asset as
`provided by virtualization ecosystem like VMware, AWS,
`etc. The method includes deriving a prioritization score for
`the asset, the prioritization score a combination of the
`vulnerability score, the threat score and the contextual score,
`wherein at least one method action is performed by a
`processor.
`In some embodiments, a tangible, non-transitory, com-
`puter-readable media having instructions thereupon which, 65
`when executed by a processor, cause the processor to
`perform a method. The method includes obtaining one of a
`
`5
`
`10
`
`2
`base common vulnerability scoring system (CVSS) score or
`a temporal common vulnerability scoring system score,
`concerning an asset in a virtual computing environment,
`receiving threat information, and generating a threat score
`for the asset, based on applicability of the threat information
`to the asset. The method includes generating a contextual
`score for the asset, based on information on at least one
`dynamic or static tag of the asset from virtualization eco-
`system and generating a prioritization score for the asset,
`based on a multiplication of the contextual score, the threat
`score and the one of the base common vulnerability scoring
`system score or the temporal common vulnerability scoring
`system score.
`In some embodiments, a system for prioritizing vulner-
`abilities of an asset in a virtual computing environment. The
`15 system includes a vulnerability assessment module that
`obtains a vulnerability score for the asset and a threat
`intelligence system that provides a list of vulnerabilities it
`can exploit, generates a threat score assessing vulnerability
`of the asset to a threat, based on threat information and based
`20 on information about the asset from at least one tag of the
`asset received from virtualization ecosystem platform. The
`system includes a contextual module that generates a con-
`textual score based on workload context of the asset relative
`to static aspects of the asset from the at least one tag and
`25 dynamic aspects of the asset from the at least one tag or
`security events and a prioritization module that multiplies
`together the threat score, the contextual score and the
`vulnerability score to generate a prioritization score for the
`asset. The system includes a processor coupled to the
`vulnerability module, the threat module, the contextual
`30 module and the prioritization module.
`Other aspects and advantages of the embodiments will
`become apparent from the following detailed description
`taken in conjunction with the accompanying drawings which
`illustrate, by way of example, the principles of the described
`35 embodiments.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The described embodiments and the advantages thereof
`40 may best be understood by reference to the following
`description taken in conjunction with the accompanying
`drawings. These drawings in no way limit any changes in
`form and detail that may be made to the described embodi-
`ments by one skilled in the art without departing from the
`45 spirit and scope of the described embodiments.
`FIG. 1 is a schematic diagram illustrating the workload
`context of an asset in a virtual environment in some embodi-
`ments.
`FIG. 2 is a schematic diagram, showing how threat
`50 information, scanned vulnerability data and tag information
`for the asset are combined into a contextual correlation, so
`that a prioritization score is produced in some embodiments.
`FIG. 3 is a system diagram of a contextual prioritization
`system that prioritizes vulnerabilities of the asset, based on
`55 contextual correlation in accordance with the concept dia-
`grams of FIGS. 1 and 2 in some embodiments.
`FIG. 4 is a flow diagram of a method of prioritizing
`vulnerabilities of an asset in a virtual environment in some
`embodiments.
`FIG. 5 is an illustration showing an exemplary computing
`device which may implement the embodiments described
`herein.
`
`60
`
`DETAILED DESCRIPTION
`
`A contextual prioritization system and a related method of
`prioritizing vulnerabilities of an asset in a virtual environ-
`
`

`

`US 9,692,778 B1
`
`3
`ment produce a prioritization score for the asset, relating to
`vulnerabilities, threats and a workload context of the asset.
`By correlating and combining threat information, vulner-
`ability data and workload context, and rapidly updating the
`prioritization score that results from such analysis, the
`disclosed system and method provide information that is
`more context-based than the CVSS (common vulnerability
`scoring system) score.
`Adding dynamic context about which vulnerabilities are
`being exploited using known exploits, and relating this to
`environmental characteristics of an asset, provides an
`improved mechanism of determining whether or not a given
`virtual machine or virtual application is at high risk from an
`attack perspective. Considering only a CVSS score reported
`by a VA (vulnerability assessment) product could be mis-
`leading or insufficient, as the CVSS score does not consider
`factors of the asset environment that drive the criticality or
`risk exposure of the asset. For example, a possible high
`CVSS score could be indicated for an asset that has a low
`risk of being exploited in some instances. Meanwhile, an
`asset with a high vulnerability but a low CVSS score may
`still be attacked depending upon other environmental factors
`in the asset environment such as threats associated with the
`vulnerability, probability of attack based on workload or VM
`(virtual machine) positioning, compensating controls or
`primary controls present in the asset environment, etc.
`Security Operations (also referred to as Sec Ops) teams
`need solutions that help them distinguish the critical vul-
`nerabilities from the noise or false-positives. For example, a
`mission critical Internet Banking web server may have
`multiple known vulnerabilities, but which of those present
`genuine risk to the organization may be unknown. Various
`embodiments of a system and method described below
`identify assets as to criticality of vulnerability, thereby
`lowering incidence of false positives and increasing aware-
`ness of assets that are critical, which may require immediate
`attention of a security operations team. This solves a critical
`problem in virtualization space, by identifying, correlating,
`calculating and determining the prioritization of vulnerabili-
`ties that pose serious risk to an organization that has oper-
`ating assets in a virtualized environment.
`The system and method employ an algorithm that corre-
`lates vulnerabilities with contextual information such as
`threat data and virtualization tags (e.g., as provided in the
`virtualization environment by a vendor such as VMware,
`etc). The algorithm works on a three dimensional (or three
`axis) model in some embodiments. The three dimensions are
`summarized below:
`Dimension#1 Vulnerability (e.g., as reported by vulner-
`ability assessment products). Related data could
`include base/temporal CVSS score, common vulner-
`abilities and exposures identifier (CVE ID), severity,
`etc.
`Dimension#2 Threat (e.g., threats received from Threat
`Intelligence systems such as DeepSight). Related data
`could include threat impact, impacted CVE ID, type of
`threat, operating
`system
`impacted, applications
`impacted, etc.
`Dimension#3 Workload Context: Tags (e.g., Opera-
`tional Tags as well as Security Tags, i.e., static tags and
`dynamic tags, as defined in a virtualization environ-
`ment using VMware, etc.) Related data could include
`whether an asset is external facing, Web-connected, has
`sensitive data, location, etc. Dynamic security events
`like data loss incidents, any possible attacks, etc., could
`be added to derive more accurate workload context.
`
`5
`
`4
`FIG. 1 is a schematic diagram of the workload context
`102 of an asset in a virtual environment. Insights into
`various aspects of the workload context 102 provide guid-
`ance into operation of the system and method. When an asset
`(e.g., a virtual machine or a virtual application) is created
`and deployed in a virtual environment, information about
`the asset can be written as metadata to one or more tags (see
`FIGS. 2 and 3). Further information can be written to tags as
`situations occur. Static tags 104 have information about tag
`10 categories, i.e., each tag category could have one or more
`tags as information about the asset. These static tags 104
`could also be referred to as operational tags, in that the static
`tag 104 specifies aspects of the operation of the asset. Static
`tag information affects the workload context 102 of the
`15 asset. Dynamic tags 106 have information that is subject to
`change during the lifespan of the asset. Dynamic tags 106
`can also be referred to as security tags, since the changing
`information is of interest regarding security of the asset.
`Dynamic tag information affects the workload context 102
`20 of the asset. Dynamic information and security events 108
`affect the workload context 102, particularly as to vulner-
`ability of the asset. Some of the dynamic information and
`security events can be written to the dynamic tags 106.
`FIG. 2 is a schematic diagram, showing how threat
`25 information 208, scanned vulnerability data 210 and work-
`load context as tags, information 204, 206 for the asset 224
`are combined into a contextual correlation, so that a priori-
`tization score 218 is produced in some embodiments. Threat
`information 208 comes from one or more threat intelligence
`30 systems (see FIG. 3). Vulnerability data 210 comes from one
`or more scanners (see FIG. 3). Tag information 204, 206
`comes from one or more tags 202 in the virtualization
`ecosystem like VMware of the asset 224. Threat intelligence
`systems such as DEEPSIGHT provide threat information
`35 208 about external threats. The embodiments of the system
`and method described herein correlate vulnerabilities with
`emerging threats to derive threat exposure, the risk the
`vulnerability poses, and the importance of remediating such
`risk. Threats play an important role in deriving the exploit-
`40 ability characteristics of a vulnerability depending on the
`asset environment. For example, a vulnerability found on a
`web server facing to internet with a CVSS score of "10" may
`have a serious impact if exposed to an external threat, as
`compared to the same vulnerability existing on a web server
`45 that is sitting in a LAN (local area network) with an
`exposure to the same threat but with a low impact. Threat
`information 208 reported by systems such as DEEPSIGHT
`or other systems may include a common vulnerabilities and
`exposures identifier (CVE ID) 220 that identifies a specific
`so vulnerability and/or a specific exposure that a particular
`threat exploits, the operating system (OS) targeted by a
`particular threat, the threat impact, a specific threat type
`(e.g., the threat is associated with the Web or a specified
`network), a specific application that the threat targets, attack
`55 information, severity of the threat, etc. This threat informa-
`tion 208 can be used to correlate with vulnerability data 210
`and workload context as tags information 204, 206 from tags
`202 to derive the magnitude of the threat and attack surface.
`Still referring to FIG. 2, VA products known as scanners
`60 scan virtual machines and report vulnerabilities with addi-
`tional information such as Severity, Base CVSS Score 222,
`Temporal CVSS Score 222, and CVE ID 220. The vulner-
`ability data 210 provided by such a scanner applies to a
`particular asset 224 being scanned.1 The CVSS score 222,
`65 which can include a base score and a temporal score, may be
`resolved or analyzed into metrics and vectors, and the
`vulnerability score 212 can be based on the CVSS score 222
`
`

`

`US 9,692,778 B1
`
`5
`in various ways. For example, the vulnerability score 212
`can apply just the base CVSS score 222, just the temporal
`CVSS score 222, or a combination of these two scores, or
`otherwise be derived from one, the other, or both of the
`scores. Whenever a CVE ID 220, operating system, associ-
`ated applications like ACROBAT, CHROME, etc. identify-
`ing a vulnerability or exposure of the asset 224, is provided
`in the vulnerability data 210 from a scanner, the disclosed
`system and method can use this information to correlate with
`a CVE ID 220 provided in the threat information 208, or
`operating system, impacted applications, etc. in production
`of a threat score 214. Vulnerability data 210 can also include
`information about severity of a particular vulnerability or
`exposure, and information about the exploitability of a
`particular vulnerability or exposure.
`Continuing with FIG. 2, workload context 102 is repre-
`sented in and derived from various tags 202. In some
`embodiments, the workload context 102 represents answers
`to some of the following questions:
`How business critical are the virtual machines where
`vulnerabilities are found?
`What is the criticality of the business unit that owns this
`workload, such as Legal, Internal IT, Customer facing,
`etc.?
`Where is the workload/virtual machine positioned in the
`network, and how does it influence the exposure?
`Is the workload in an Intranet, the Internet or a local area
`network?
`Do the virtual machines/workloads contain sensitive
`data?
`What data does an attacker gain access to when a vul-
`nerability is exploited?
`What is the impact if an exploitation occurs?
`Answers to the above questions can be defined as char-
`acteristics and written to tags 202 of assets 224. Generally,
`there are two manners in which tags 202 can be defined,
`although further types of tags and tagging strategies are
`readily devised, consistent with the teachings herein. A first
`mechanism is to mark a virtual machine with a set of tags
`202 such as CRITICAL DATA, WEB, INTERNET FAC-
`ING, ADOBE_APP, INTERNET_EXPLORER_APP, etc.
`These are known as Static Tags, and have static tag infor-
`mation 204. A second mechanism is to mark a virtual
`machine with a set of dynamic tags 202 such as VIRUS
`FOUND, INTRUSION DETECTED, etc., by security tech-
`nologies monitoring the same systems. These are known as
`dynamic tags or security tags, and have dynamic security
`related information 206. Thus, the above questions or char-
`acteristics of a virtual machine or virtual application can be
`defined by both static as well as dynamic tags. For example,
`static tag information 204 could include indication of
`whether there is sensitive data in or handled by the asset 224,
`whether the asset 224 includes one or more critical servers,
`and whether the asset is Web-connected. Dynamic tag infor-
`mation 206 could include whether or not a virus has been
`found in the asset 224, whether or not an intrusion has been
`detected in the asset 224, and/or whether or not suspicious
`data has been transferred into or out of the asset 224.
`The method and system of the embodiments leverage
`threat attributes such as OS supported, threat impact,
`impacted CVE ID, type (Web/Network), etc. and virtualiza-
`tion tags 202 such as EXTERNAL FACING, WEB, CRITI-
`CAL DATA, LOCATION, etc. to correlate with the CVE ID
`220 of vulnerabilities reported by VA products. Since the
`method and system use environment specific details with a
`threat feed (i.e., a supplier of threat information 208), the
`derived prioritization is more accurate and meaningful than
`
`6
`just the CVSS score 222 and the CVE ID 220. A vulner-
`ability score 212, a threat score 214, and a contextual score
`216 are combined to form a prioritization score 218. The
`prioritization score 218 can be applied to indicate the impact
`5 or severity of vulnerability, so that vulnerabilities can be
`prioritized as to which ones need attention or remediation.
`Below are the various scores 212, 214, 216, 218 and how
`they are calculated, in some embodiments. It should be
`appreciated that various further scales and various further
`io calculations are readily devised in accordance with the
`teachings herein.
`Vulnerability Score 212 represents CVSS Score 222
`(Base or Temporal as reported by VA products), e.g., as
`associated or correlated with a particular vulnerability or
`15 exposure which may be accompanied by a CVE ID 220. This
`score is expressed on a scale of 1-10, or 0-10, in some
`embodiments. Threat Score 214 represents threats correlated
`with vulnerabilities based on Threat Impact, OS Supported,
`Threat Type, etc. A score is derived in a scale of 1-10, in
`20 some embodiments. Contextual Score 216 represents Tags
`202 (both Static and Dynamic Tags) correlated with Threats
`and Vulnerabilities. A score is derived in a scale of 1-10, in
`some embodiments. Prioritization Score 218 equals (Vul-
`nerability Score 212xThreat Score 214xContextual Score
`25 216)/100. This is for a particular vulnerability or exposure,
`which is now prioritized.
`Continuing with FIG. 2, the prioritization score 218 is
`proportional to the product of the vulnerability score 212,
`the threat score 214, and the contextual score 216, with or
`30 without various scaling factors in some embodiments. In
`further embodiments, the prioritization score 218 is a com-
`bination of the vulnerability score 212, the threat score 214,
`and the contextual score 216. For example, the prioritization
`score 218 could be a vector with each of the vulnerability
`35 score 212, the threat score 214, and the contextual score 216
`expressed as a length along one of a number of mutually
`orthogonal axes, or the prioritization score 218 could be the
`magnitude of such a vector (i.e., the prioritization score 218
`is equal to the square root of the sum of the squares of each
`40 of the vulnerability score 212, the threat score 214, and the
`contextual score 216, with or without scaling), etc. Further
`combinations of the vulnerability score 212, the threat score
`214, and the contextual score 216, with or without scaling,
`to form a prioritization score 218 are readily envisioned.
`FIG. 3 is a system diagram of a contextual prioritization
`system that prioritizes vulnerabilities of the asset 224, based
`on contextual correlation in accordance with the concept
`diagrams of FIGS. 1 and 2. Virtual machines 318 and/or
`virtual applications 320 are implemented using physical
`so computing resources 228, in a virtual computing environ-
`ment 322. The asset 224 under consideration for prioritiza-
`tion of vulnerabilities could be one or more virtual machines
`318 and/or one or more virtual applications 320, and various
`combinations thereof. A scanner 314, for example a VA
`55 scanner by QUALYS or RAPID7, performs vulnerability
`checks (i.e., scans) on the virtual machines 318 and the
`virtual applications 320, and reports vulnerability data 210,
`including a CVSS score 222. This may be accompanied by
`a CVE ID 220, which identifies a specific vulnerability or
`60 exposure, and which is now associated with the CVSS score
`222 for a specific asset 224. The scanner 314 can be coupled
`to the virtual machines 318 and the virtual applications 320
`by a network 324 in some embodiments.
`Still referring to FIG. 3, a threat intelligence system 316,
`65 for example DEEPSIGHT, reports latest list of threats in a
`wild 208. When reporting a specific threat, the threat infor-
`mation 208 may also identify a target operating system, a
`
`45
`
`

`

`US 9,692,778 B1
`
`7
`target application, and a