skip to main content
research-article

VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

Published:12 June 2018Publication History
Skip Abstract Section

Abstract

Vulnerability remediation is a critical task in operational software and network security management. In this article, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: (1) time-to-vulnerability remediation (TVR) and (2) total vulnerability exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed-integer multiobjective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a cyber-security operations center (CSOC). Results indicate an overall TVE reduction of 8.97% when VULCON optimizes a realistic security analyst workforce’s effort. Additionally, VULCON demonstrates that it can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.

References

  1. 2017. Microsoft Exploitability Index. Accessed September 29, 2017. Retrieved from https://technet.microsoft.com/en-us/security/cc998259.Google ScholarGoogle Scholar
  2. 2017. Symantec Threat Severity Assessment. Accessed September 29, 2017. Retrieved from https://www.symantec.com/security_response/severityassessment.jsp.Google ScholarGoogle Scholar
  3. 2017. Tenable Network Security. Accessed September 29, 2017. Retrieved from https://www.tenable.com/blog/new-nessus-feature-added-csv-export.Google ScholarGoogle Scholar
  4. 2018. Creating a Patch and Vulnerability Management Program, Recommendations of the National Institute of Standards and Technology (NIST). Accessed March 21, 2018. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-40ver2.pdf.Google ScholarGoogle Scholar
  5. 2018. Payment Card Industry (PCI) Data Security Standard. Accessed March 21, 2018. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time===1521778935419.Google ScholarGoogle Scholar
  6. Anthony Afful-Dadzie and Theodore T. Allen. 2014. Data-driven cyber-vulnerability maintenance policies. Journal of Quality Technology 46, 3 (2014), 234.Google ScholarGoogle ScholarCross RefCross Ref
  7. Anthony Afful-Dadzie and Theodore T. Allen. 2016. Control charting methods for autocorrelated cyber vulnerability data. Quality Engineering 28, 3 (2016), 313--328.Google ScholarGoogle ScholarCross RefCross Ref
  8. Luca Allodi and Fabio Massacci. 2014. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC) 17, 1 (2014), 1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Belaid Aouni, Cinzia Colapinto, and Davide La Torre. 2014. Financial portfolio management through the goal programming model: Current state-of-the-art. European Journal of Operational Research 234, 2 (2014), 536--545.Google ScholarGoogle ScholarCross RefCross Ref
  10. Seyed Mohammad Asadzadeh and Ali Azadeh. 2014. An integrated systemic model for optimization of condition-based maintenance with human error. Reliability Engineering 8 System Safety 124 (2014), 117--131.Google ScholarGoogle Scholar
  11. Christian Biener, Martin Eling, and Jan Hendrik Wirfs. 2015. Insurability of cyber risk: An empirical analysis. Geneva Papers on Risk and Insurance-Issues and Practice 40, 1 (2015), 131--158.Google ScholarGoogle ScholarCross RefCross Ref
  12. Jean Camp, Lorrie Cranor, Nick Feamster, Joan Feigenbaum, Stephanie Forrest, David Kotz, Wenke Lee, Patrick Lincoln, Vern Paxson, Mike Reiter, Ron Rivest, William Sanders, Stefan Savage, Sean Smith, Eugene Stafford, and Sal Stolfo. 2009. Data for cybersecurity research: Process and “Wish List”. Retrieved from http://www.ljean.com/files/data-wishlist.pdf.Google ScholarGoogle Scholar
  13. Hasan Cavusoglu, Huseyin Cavusoglu, and Jun Zhang. 2008. Security patch management: Share the burden or share the damage? Management Science 54, 4 (2008), 657--670. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, and Kevin Stine. 2012. Information security continuous monitoring (ISCM) for federal information systems and organizations. CreateSpace Independent Publishing Platform, National Institute of Standards and Technology Special Publication 800-137. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security Symposium. 523--538. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Tudor Dumitras and Darren Shou. 2011. Toward a standard benchmark for computer security research. In Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS Workshop). Citeseer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. Optimal scheduling of cybersecurity analysts for minimizing risk. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 4 (2017), 52. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Rajesh Ganesan, Sushil Jajodia, Ankit Shah, and Hasan Cam. 2016. Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Transactions on Intelligent Systems and Technology (TIST) 8, 1 (2016), 4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Richard J. Holden. 2011. Lean thinking in emergency departments: A critical review. Annals of Emergency Medicine 57, 3 (March 2011), 265--278.Google ScholarGoogle ScholarCross RefCross Ref
  20. Hannes Holm, Mathias Ekstedt, and Dennis Andersson. 2012. Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Transactions on Dependable and Secure Computing 9, 6 (2012), 825--837. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Hannes Holm, Teodor Sommestad, Jonas Almroth, and Mats Persson. 2011. A quantitative evaluation of vulnerability scanning. Information Management 8 Computer Security 19, 4 (2011), 231--247.Google ScholarGoogle Scholar
  22. Leora I. Horwitz, Jeremy Green, and Elizabeth H. Bradley. 2010. US emergency department performance on wait time and length of visit. Annals of Emergency Medicine 55, 2 (February 2010), 133--41.Google ScholarGoogle ScholarCross RefCross Ref
  23. James P. Ignizio. 1983. Generalized goal programming. An overview. Computers and Operations Research 10, 4 (1983), 277--289.Google ScholarGoogle ScholarCross RefCross Ref
  24. Omid Jadidi, S. Zolfaghari, and Sergio Cavalieri. 2014. A new normalized goal programming model for multi-objective problems: A case of supplier selection and order allocation. International Journal of Production Economics 148 (2014), 158--165.Google ScholarGoogle ScholarCross RefCross Ref
  25. Miles A. McQueen, Trevor A. McQueen, Wayne F. Boyer, and May R. Chaffin. 2009. Empirical estimates and observations of 0day vulnerabilities. In 42nd Hawaii International Conference on System Sciences, 2009 (HICSS’09). IEEE, 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Peter Mell, Karen Scarfone, and Sasha Romanosky. 2007. A complete guide to the common vulnerability scoring system version 2.0. In FIRST-Forum of Incident Response and Security Teams. 1--23.Google ScholarGoogle Scholar
  27. Christos H. Papadimitriou. 1981. On the complexity of integer programming. Journal of the ACM (JACM) 28, 4 (1981), 765--768. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Ronald L. Rardin. 1998. Optimization in Operations Research. Prentice-Hall.Google ScholarGoogle Scholar
  29. Ankit Shah, Rajesh Ganesan, Sushil Jajodia, and Hasan Cam. 2017. A methodology to measure and monitor level of operational effectiveness of a CSOC. International Journal of Information Security 17 (2017), 1--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Shari J. Welch, Brent R. Asplin, Suzanne Stone-Griffith, Steven J. Davidson, James Augustine, Jeremiah Schuur, and Emergency Department Benchmarking Alliance. 2011. Emergency department operational metrics, measures and definitions: Results of the Second Performance Measures and Benchmarking Summit. Annals of Emergency Medicine 58, 1 (July 2011), 33--40.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. VULCON: A System for Vulnerability Prioritization, Mitigation, and Management

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!