Detailed Description:

As Japan's largest telecommunications carrier that provides universal services designated by the government, we have optical fiber infrastructure that enables our 13 million+ customers to use the Internet and telephone services in over 99% area of eastern Japan. In addition to the network devices such as routers and related servers that consist of the large-scale network, we also have a large number of internal servers in the closed network to operate and manage telecom infrastructure. The vulnerabilities associated with these variety of assets are also vast and diverse.

We always have been struggling to manage huge number of vulnerabilities on our large-scale telecom infrastructure and IT systems for many years. As long as we protect the critical infrastructure, even a closed network, the risk is not zero because of the recent advanced techniques and targeted attacks. Basically, every single vulnerability should be responded but not realistic. Each vulnerability needs to be prioritized and appropriately responded.

We started considering more efficient and appropriate vulnerability assessment methods 2 years ago. Our first approach was to use CVSS more effectively. In addition to base metrics, we tried to use environmental metrics such as considering Confidentiality, Integrity, and Availability importance of each service and impact from vulnerability to CIA. We also tried to use temporal metrics to consider attack possibility such as exploit code mutuality, remediation level, report confidence. However, we found that considering each metric did not effective enough to change the CVSS score and its priority from our evaluation results. This is caused due to the fundamental mechanism of CVSS.

Our requirements of new assessment method are 1) Assessment logic is accountable, 2) Ability to prioritize and decide actions appropriately based on the risk of the vulnerability itself, the asset value of each service, the possibility of attacks, 3) The number of high-priority vulnerabilities requiring immediate action is a realistic number to respond. We finally focused on SSVC (Stakeholder-Specific Vulnerability Categorization) to meet these requirements.

We created our SSVC method in order to implement and practically utilize SSVC for our actual vulnerability management. In our proposed method, there are the criteria to determine each parameter as the inputs considering actual enterprise environment and the remediation deadlines based on the output from our SSVC decision tree. The proposed method specifically defines how to determine the 4 input parameters such as Exploitation, Exposure, Utility, Human impact.

We applied our SSVC method to over 50,000 relevant vulnerabilities published over the past few years based on the software components information from our actual hundreds of services and evaluated the method. These 50,000+ vulnerabilities have actually been assessed and responded (if necessary) during our previous vulnerability management workflow. To re-evaluate them with new method, we extracted information of each vulnerability and related services from our vulnerability management database and evaluated them with our SSVC method. During the process, we repeatedly customized and tuned the 4 parameters by trial and error, taking into account vulnerability-related information, our network structure, and the importance of each service, etc. This process was carried out by 2 people over 10 days to ensure there were no discrepancies.

In the evaluation result, the number of the “Immediate” vulnerabilities that needs the most urgent response is 8% and the “Out-of-Cycle” vulnerabilities that needs next earlier response is 9%, respectively. The total of those two is 17% which is much more realistic than responding to all.

All vulnerabilities classified as “Immediate” are public services connected to the Internet. The vendors include open source and commercial software for various servers and network devices. Application-related is 73% and OS-related is 27%.

Regarding CVSS Severities in the “Immediate” vulnerabilities, Critical is 15%, High is 50%, Medium is 33%, and Low is 2%. Vulnerabilities of Critical and High account for 65%. However, those of Medium and Low account for 35%. This means that if you adopt a policy that respond to vulnerabilities of CVSS High or Critical severity, you will overlook. From the perspective of CVSS Attack Vectors (AV), Network was 67% and Local was 33%. Regarding Complexity (AC), Low accounted for 49%, Medium accounted for 48%, and High remained at 3%. The results show that the method effectively prioritize the vulnerabilities considering attack possibility, open/closed network, business impact, etc.

Our next goal is to improve our method for more appropriate and efficient vulnerability management. We are working on tuning definitions of each parameter. We are also working on automation and optimization for the entire vulnerability management cycle.

In our presentation, we will describe what issues we faced, the problems of CVSS and how we decided to adopt SSVC as mentioned above. We will share about our SSVC method, its benefits, evaluation results, and how we use the method. We hope this presentation will help you with practical vulnerability management.

Outline:

We will cover the following in our presentation:

Introduction
- Recent Trends of Vulnerabilities
- Challenges in Vulnerability Management
- Recent Methods for Vulnerability Assessment

Previous Issues and Our Approach
- Problems of CVSS
- Requirements of New Vulnerability Assessment
- Our Approach

SSVC (Stakeholder-Specific Vulnerability Categorization)
- Basic Vulnerability Triage with SSVC
- SSVC decision tree

Our SSVC method
- Decision-making Criteria
- Exploitation
- Exposure
- Utility
- Human Impact
- Remediation deadlines
- Triage examples of our method

Evaluation Results of our SSVC method
- Evaluation results
- Discussion

Future Work and Conclusion
- Automation of Vulnerability Management
- Conclusion