(12) United States Patent
`Mohanty
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 9,692.778 B1
`Jun. 27, 2017
`
`USOO9692778B1
`
`(54) METHOD AND SYSTEM TO PRIORITIZE
`VULNERABILITIES BASED ON
`CONTEXTUAL CORRELATION
`
`(71) Applicant: Symantec Corporation, Mountain
`View, CA (US)
`(72) Inventor: Shubhabrata Mohanty, Pune (IN)
`(73) Assignee: Symantec Corporation, Mountain
`View, CA (US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(*) Notice:
`
`(21) Appl. No.: 14/538,599
`
`(22) Filed:
`
`Nov. 11, 2014
`
`(51) Int. Cl.
`H04L 29/06
`G06F 9/455
`(52) U.S. Cl.
`CPC ...... H04L 63/1433 (2013.01); G06F 9/45533
`(2013.01)
`
`(2006.01)
`(2006.01)
`
`(58) Field of Classification Search
`CPC ......................... H04L 63/1433; G06F 9/45533
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`2009 OO77666 A1* 3, 2009 Chen ..................... GO6F 21,577
`726/25
`2013/019 1919 A1* 7/2013 Basavapatna ......... GO6F 21,577
`726/25
`
`2014/02O1836 A1* 7, 2014 Amsler ................... HO4L 63.20
`2014/0223555 A1
`8, 2014 Sanz Hernando ...... Goof'55
`726/22
`2/2015 Lee ..................... HO4L 63/1433
`726/25
`
`2015,0040228 A1
`
`OTHER PUBLICATIONS
`
`Mell et al., (The Common Vulnerability Scoring System (CVSS)
`and Its Applicability to Federal Agency Systems, NIST Interagency
`Report 7435, Aug. 2007, 33 pages).*
`Quinn et al. "Guide to Adopting and Using the Security Content
`Automation Protocol (SCAP) Version 1.0”, NIST Special Publica
`tion 800-117, Jul. 2010, 26 pages.*
`* cited by examiner
`Primary Examiner — Saleh Naijar
`Assistant Examiner — Oleg Korsak
`(74) Attorney, Agent, or Firm — Maschoff Brennan
`(57)
`ABSTRACT
`A method for prioritizing vulnerabilities of an asset in a
`virtual computing environment is provided. The method
`includes determining a Vulnerability score for the asset,
`based on at least one of a base vulnerability score or a
`temporal Vulnerability score and receiving information
`about a threat. The method includes correlating the infor
`mation about the threat with information about the open
`Vulnerabilities on the asset and also about the asset to
`determine a threat score for the asset and determining a
`contextual score for the asset based on at least one tag of the
`asset. The method includes deriving a prioritization score for
`the asset, the prioritization score a combination of the
`Vulnerability score, the threat score and the contextual score,
`wherein at least one method action is performed by a
`processor.
`
`20 Claims, 5 Drawing Sheets
`
`104
`
`102
`
`106
`
`
`
`
`
`Tags Category
`and
`Operational Tags
`
`Workload Context
`
`Dynamic
`Security Tags(Like
`in Vmware
`Reported by Various
`Point Products)
`
`
`
`
`
`Dynamic Info/
`Security
`Events
`
`
`
`WIZ, Inc. EXHIBIT - 1075
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jun. 27, 2017
`Jun. 27, 2017
`
`Sheet 1 of 5
`Sheet 1 of 5
`
`US 9,692,778 B1
`US 9,692.778 B1
`
`
`
`104
`104
`
`102
`102
`
`106
`
`
`
`
`
`
`
`106
`
`
`Dynamic
`Dynamic
`
`
`Security Tags(Like
`Tags Category
`Security Tags(Like
`Tags Category
`
`
`
`
`in Vmware
`and
`in Vmware
`Workload COntext
`and
`Workload Context
`
`Operational Tags
`
`Reported by Various
`
`Reported by Various
`
`
`Point Products)
`Point Products)
`
`
`
`
`
`
`Operational Tags
`
`
`
` Dynamic Info/
`Events
`
`Dynamic Info/
`Security
`Security
`Events
`
`
`
`FIG. 1
`FIG. 1
`
`

`

`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 2 of 5
`
`US 9,692,778 B1
`
`
`
`
`
`
`
`XXXX
`XXXX
`Possible Exploitations
`Impact
`Priority
`Vulnerability
`for Remediation
`
`Contextual Prioritization
`
`~
`
`
`
`
`‘
`
`
`
`
`fr
`
`Prioritization
`
`Score
`
`
`
`
`
`
`
`
`
`
`218~
`
`Contextual Correlation
`
`Threat Score
`
`FIG. 2
`
`206
`
`704
`
`
`
`
`
`
`
`as Date Transferred.
`Dynamic Info Such
`‧
`Intrusion Detected
`。
`Virus Found
`Security Tags
`‧ Web
`。
`‧
`Tags Category
`
`Critical Servers
`Sensitive Data
`
`
`
`
`LZ Workload Context > 10
`
`
`
`
`
`
`
`in Virtual Environment Like VMware Tags
`
`Tags (Static and Security)
`
`202
`Sone
`
`
`
`
`上 Severity
` |* QVE'D
`* Attack Info
`YJ ‧ Target Apps
`
`
`
`
`Contextual
`
`922
`
`
`
`
`
`
`
`
`
`
`212~
`
`Score
`Vulnerability
`
`。Target Os
`
`VA Scanner (Qualys, Rapid7)
`Scanned Vulnerability Databy
`
`228
`226
`224
`
`
`
`
`Exploitability
`Severity
`
`
`
`
`
`
`/
`210
`
`

`

`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 3 of 5
`
`US 9,692,778 B1
`
`
`
`
`
`
`
`3
`
`FIG.
`
`Resources
`
`
`
`
`Physical Computing
`228、 个
`
`
`
`
`
`
`
`<— Threat Information
`
`
`
`
`7208
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Scanner
`
`
`
`
`
`
`
`
`
`3144
`
`System
`
`y
`
`
`
`
`Threat Intelligence
`_c316
`
`
`
`
`
`
`
`CVE ID
`
`
`
`
`
`
`
`318~
`
`( [_Virtual Machine
`324
`/
`
` 一 202
`
`
`
`
`
`
`
`Virtual Application
`
`
`
`
`320~
`
`Virtual Machine
`
`
`
`
`
`
`318:
`
`322
`
`一 202
`
`一 202
`
`
`
` bab
`
`U7 202
`
`
`
`
`\ | Virtual Application
`
`:
`
`320~
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`224<
`
`
`
`
`
`
`
`
`
`
`Prioritization Score
`
`
`
`
`\ 218~
`
`
`
`
`
`
`
`
`
`
`
`
`"
`
`
`
`
`
`
`
`Contextual Score
`
`
`
`
`216~
`
`
`
`
`Threat Score
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`214~
`Vulnerability Score
`212~
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Remediation Module
`3z0
`Prioritization Module
`312、
`Contextual Module
`310~
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CVSS Score
`
`
`
`
`
`
`
`
`
`
`222~~
`
`
`
`
`220
`Vulnerability Data
`
`
`
`
`< 一
`
`
`
`
`210~
`
`
`
`
`Threat Module
`
`
`
`
`
`
`
`
`
`
`Processor
`
`
`
`
`304~
`Computing Device
`
`302、
`
`
`
`
`
`
`
`308~
`Vulnerability Module
`306~,
`
`

`

`U.S. Patent
`U.S. Patent
`
`Jun. 27, 2017
`Jun. 27, 2017
`
`Sheet 4 of 5
`Sheet 4 of 5
`
`US 9,692,778 B1
`US 9,692.778 B1
`
`402
`402
`
`404
`404
`
`406
`406
`Correlate Open Vulnerability information with threat
`Correlate open vulnerability information with threat
`408
`408
`
`Determine threat SCOre for asset
`Determine threat score for asset
`
`410
`410
`Correlate Vulnerability data and tag information
`Correlate vulnerability data and tag information
`412
`412
`
`Determine Contextual SCOre for asset
`Determine contextual score for asset
`
`414
`414
`Determine prioritization SCOre for asset based on
`Determineprioritization score for asset based on
`Vulnerability score, threat score, Contextual score
`vulnerability score, threat score, contextual score
`
`
`
`416
`
`Prioritization
`Prioritization
`SCOre meets threshold
`score meets threshold
`?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Determine Vulnerability score for asset
`Determine vulnerability score for asset
`
`
`Obtain threat information
`Obtain threat information
`
`
`
`
` 416
`
`
`418
`418
`
`420
`420
`
`Determine remediation for asset
`Determine remediation for asset
`
`Apply remediation for asset
`Apply remediation for asset
`
`FIG. 4
`FIG. 4
`
`

`

`U.S. Patent
`
`Jun. 27, 2017
`
`Sheet 5 of 5
`
`US 9,692,778 B1
`
`
`
`全 501
`
`
`信 503
`
`
`CPU
`
`
`
`
`
`Memory
`
`
`
`
`
`S 509
`
`
`
`入 507
`
`
`
`Input/Output
`Device
`
`
`
`
`
`Mass
`Storage
`
`
`
`
`人 511
`
`Display
`
`
`
`
`
`Fig. 5
`
`{~ 505
`Zz
`
`
`BUS
`
`
`
`
`
`
`
`
`

`

`1.
`1
`METHOD AND SYSTEM TO PRIORITIZE
`METHOD AND SYSTEM TO PRIORITIZE
`VULNERABILITIES BASED ON
`VULNERABILITIES BASED ON
`CONTEXTUAL CORRELATION
`CONTEXTUAL CORRELATION
`
`BACKGROUND
`BACKGROUND
`
`Virtualization has redefined how IT ops (information
`Virtualization has redefined how IT ops (information
`technology operations) build and deliver assets in a virtu
`technology operations) build and deliver assets in a virtu-
`alized environment, where virtual machines or virtual appli
`alized environment, where virtual machines or virtual appli-
`cations (apps) go online or offline, or change Zones dynami
`cations (apps) go onlineoroffline, or change zones dynami-
`cally within minutes or hours. Traditional Vulnerability
`cally within minutes or hours. Traditional Vulnerability
`Assessment (VA) products which scan machines to report
`Assessment (VA) products which scan machines to report
`vulnerabilities have difficulties in a virtualized environment.
`Vulnerabilities have difficulties in a virtualized environment.
`A Snapshot of a Vulnerability assessment report of a system
`A snapshot of a vulnerability assessment report of a system
`provided in the past becomes obsolete within hours or
`provided in the past becomes obsolete within hours or
`minutes as virtual machines or workloads change positions
`minutes as virtual machines or workloads change positions
`within a virtualized environment. Consequently, in virtual
`within a virtualized environment. Consequently, in virtual-
`ized environments, any risks, threat exposures or known
`ized environments, any risks, threat exposures or known
`Vulnerabilities are constantly changing. A security opera
`vulnerabilities are constantly changing. A security opera-
`tions team needs a strong and continuous prioritization
`tions team needs a strong and continuous prioritization
`system to track critical vulnerabilities and take actions as
`system to track critical vulnerabilities and take actions as
`changes occur.
`changes occur.
`Vulnerability assessment products scan systems on
`Vulnerability assessment products
`scan systems on
`demand and report a list of known vulnerabilities in the form
`demandandreport a list of known vulnerabilities in the form
`of a CVSS (common vulnerability scoring system) score.
`of a CVSS (common vulnerability scoring system) score.
`With workloads constantly changing their positions, the
`With workloads constantly changing their positions,
`the
`same set of Vulnerabilities changes the exploitability surface
`same set of vulnerabilities changes the exploitability surface
`as well. The challenges presented include how to interpret
`as well. The challenges presented include how to interpret
`hundreds of vulnerabilities reported by these VA products
`hundreds of vulnerabilities reported by these VA products
`and how to identify specific vulnerabilities that truly repre
`and how to identify specific vulnerabilities that truly repre-
`sent a clear and present risk to security. The CVSS score (as
`sent a clear and presentrisk to security. The CVSSscore (as
`either a Base CVSS score or a Temporal CVSS score) does
`either a Base CVSS score or a Temporal CVSS score) does
`not consider the environment-specific characteristics of the
`not consider the environment-specific characteristics of the
`customer or the workload distribution and the threats that
`customer or the workload distribution and the threats that
`can exploit them based on the positioning of the workload.
`can exploit them based on the positioning of the workload.
`The CVSS Base or Temporal score only contains a CIA
`The CVSS Base or Temporal score only contains a CIA
`(confidentiality, integrity, availability) score and access vec
`(confidentiality, integrity, availability) score and access vec-
`tors to derive the importance of the information, but is not
`tors to derive the importance of the information, but is not
`Sufficient in a dynamic environment Such as in virtualization
`sufficient in a dynamic environmentsuchasin virtualization
`space. A CVSS score alone does not necessarily provide
`space. A CVSS score alone does not necessarily provide
`sufficient information for effective remediation prioritiza
`sufficient information for effective remediation prioritiza-
`tion.
`tion.
`It is within this context that the embodiments arise.
`It is within this context that the embodiments arise.
`
`10
`10
`
`15
`
`20
`
`25
`25
`
`30
`30
`
`35
`35
`
`40
`40
`
`SUMMARY
`SUMMARY
`
`45
`45
`
`50
`50
`
`In some embodiments, a method for prioritizing Vulner
`In some embodiments, a method for prioritizing vulner-
`abilities of an asset in a virtual computing environment is
`abilities of an asset in a virtual computing environmentis
`provided. The method includes determining a vulnerability
`provided. The method includes determining a vulnerability
`prioritization score for the asset, based on at least one of a
`prioritization score for the asset, based on at least one of a
`base vulnerability score or a temporal vulnerability score,
`base vulnerability score or a temporal vulnerability score,
`deriving virtual workload context and receiving information
`deriving virtual workload context and receiving information
`about a threat. The method includes correlating the infor
`about a threat. The method includes correlating the infor-
`mation about the threat with information about the asset to
`mation about the threat with information about the asset to
`determine a threat score for the asset and determining a
`determine a threat score for the asset and determining a
`contextual score for the asset based on virtual workload
`contextual score for the asset based on virtual workload
`context in turn is based on multiple tags of the asset as
`context in turn is based on multiple tags of the asset as
`provided by virtualization ecosystem like VMware, AWS,
`provided by virtualization ecosystem like VMware, AWS,
`etc. The method includes deriving a prioritization score for
`etc. The method includes deriving a prioritization score for
`the asset, the prioritization score a combination of the
`the asset,
`the prioritization score a combination of the
`Vulnerability score, the threat score and the contextual score,
`vulnerability score, the threat score and the contextualscore,
`wherein at least one method action is performed by a
`wherein at
`least one method action is performed by a
`processor.
`processor.
`In some embodiments, a tangible, non-transitory, com
`In some embodiments, a tangible, non-transitory, com-
`65
`puter-readable media having instructions thereupon which,
`puter-readable media having instructions thereupon which,
`65
`when executed by a processor, cause the processor to
`when executed by a processor, cause the processor to
`perform a method. The method includes obtaining one of a
`perform a method. The method includes obtaining one of a
`
`55
`55
`
`60
`60
`
`US 9,692,778 B1
`US 9,692,778 B1
`
`2
`2
`base common vulnerability scoring system (CVSS) score or
`base common vulnerability scoring system (CVSS) score or
`a temporal common Vulnerability scoring system score,
`a temporal common vulnerability scoring system score,
`concerning an asset in a virtual computing environment,
`concerning an asset in a virtual computing environment,
`receiving threat information, and generating a threat score
`receiving threat information, and generating a threat score
`for the asset, based on applicability of the threat information
`for the asset, based on applicability of the threat information
`to the asset. The method includes generating a contextual
`to the asset. The method includes generating a contextual
`score for the asset, based on information on at least one
`score for the asset, based on information on at least one
`dynamic or static tag of the asset from virtualization eco
`dynamic orstatic tag of the asset from virtualization eco-
`system and generating a prioritization score for the asset,
`system and generating a prioritization score for the asset,
`based on a multiplication of the contextual score, the threat
`based on a multiplication of the contextual score, the threat
`score and the one of the base common Vulnerability scoring
`score and the one of the base common vulnerability scoring
`system score or the temporal common Vulnerability scoring
`system score or the temporal common vulnerability scoring
`system score.
`system score.
`In some embodiments, a system for prioritizing Vulner
`In some embodiments, a system for prioritizing vulner-
`abilities of an asset in a virtual computing environment. The
`abilities of an asset in a virtual computing environment. The
`system includes a Vulnerability assessment module that
`system includes a vulnerability assessment module that
`obtains a vulnerability score for the asset and a threat
`obtains a vulnerability score for the asset and a threat
`intelligence system that provides a list of Vulnerabilities it
`intelligence system that provides a list of vulnerabilities it
`can exploit, generates a threat score assessing Vulnerability
`can exploit, generates a threat score assessing vulnerability
`of the asset to a threat, based on threat information and based
`of the assetto a threat, based on threat information and based
`on information about the asset from at least one tag of the
`on information about the asset from at least one tag of the
`asset received from virtualization ecosystem platform. The
`asset received from virtualization ecosystem platform. The
`system includes a contextual module that generates a con
`system includes a contextual module that generates a con-
`textual score based on workload contextof the asset relative
`textual score based on workload context of the asset relative
`to static aspects of the asset from the at least one tag and
`to static aspects of the asset from the at least one tag and
`dynamic aspects of the asset from the at least one tag or
`dynamic aspects of the asset from the at least one tag or
`security events and a prioritization module that multiplies
`security events and a prioritization module that multiplies
`together the threat score, the contextual score and the
`together the threat score,
`the contextual score and the
`Vulnerability Score to generate a prioritization score for the
`vulnerability score to generate a prioritization score for the
`asset. The system includes a processor coupled to the
`asset. The system includes a processor coupled to the
`Vulnerability module, the threat module, the contextual
`vulnerability module,
`the threat module,
`the contextual
`module and the prioritization module.
`module and the prioritization module.
`Other aspects and advantages of the embodiments will
`Other aspects and advantages of the embodiments will
`become apparent from the following detailed description
`become apparent from the following detailed description
`taken in conjunction with the accompanying drawings which
`taken in conjunction with the accompanying drawings which
`illustrate, by way of example, the principles of the described
`illustrate, by way of example, the principles of the described
`embodiments.
`embodiments.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The described embodiments and the advantages thereof
`The described embodiments and the advantages thereof
`may best be understood by reference to the following
`may best be understood by reference to the following
`description taken in conjunction with the accompanying
`description taken in conjunction with the accompanying
`drawings. These drawings in no way limit any changes in
`drawings. These drawings in no way limit any changes in
`form and detail that may be made to the described embodi
`form and detail that may be madeto the described embodi-
`ments by one skilled in the art without departing from the
`ments by one skilled in the art without departing from the
`spirit and scope of the described embodiments.
`spirit and scope of the described embodiments.
`FIG. 1 is a schematic diagram illustrating the workload
`FIG. 1 is a schematic diagram illustrating the workload
`context of an asset in a virtual environment in some embodi-
`context of an asset in a virtual environment in some embodi
`ments.
`mentS.
`FIG. 2 is a schematic diagram, showing how threat
`FIG. 2 is a schematic diagram, showing how threat
`information, Scanned Vulnerability data and tag information
`information, scanned vulnerability data and tag information
`for the asset are combined into a contextual correlation, so
`for the asset are combined into a contextual correlation, so
`that a prioritization score is produced in Some embodiments.
`that a prioritization score is produced in some embodiments.
`FIG. 3 is a system diagram of a contextual prioritization
`FIG. 3 is a system diagram of a contextual prioritization
`system that prioritizes vulnerabilities of the asset, based on
`system that prioritizes vulnerabilities of the asset, based on
`contextual correlation in accordance with the concept dia
`contextual correlation in accordance with the concept dia-
`grams of FIGS. 1 and 2 in some embodiments.
`grams of FIGS. 1 and 2 in some embodiments.
`FIG. 4 is a flow diagram of a method of prioritizing
`FIG. 4 is a flow diagram of a method of prioritizing
`vulnerabilities of an asset in a virtual environment in some
`Vulnerabilities of an asset in a virtual environment in some
`embodiments.
`embodiments.
`FIG. 5 is an illustration showing an exemplary computing
`FIG.5 is an illustration showing an exemplary computing
`device which may implement the embodiments described
`device which may implement the embodiments described
`herein.
`herein.
`
`DETAILED DESCRIPTION
`DETAILED DESCRIPTION
`
`A contextual prioritization system and a related method of
`Acontextual prioritization system and a related method of
`prioritizing Vulnerabilities of an asset in a virtual environ
`prioritizing vulnerabilities of an asset in a virtual environ-
`
`

`

`US 9,692,778 B1
`US 9,692,778 B1
`
`10
`10
`
`15
`15
`
`20
`
`30
`30
`
`35
`35
`
`3
`4
`3
`4
`ment produce a prioritization score for the asset, relating to
`FIG. 1 is a schematic diagram of the workload context
`FIG. 1 is a schematic diagram of the workload context
`ment producea prioritization score for the asset, relating to
`102 of an asset in a virtual environment. Insights into
`Vulnerabilities, threats and a workload context of the asset.
`vulnerabilities, threats and a workload context of the asset.
`102 of an asset
`in a virtual environment. Insights into
`various aspects of the workload context 102 provide guid
`By correlating and combining threat information, Vulner
`various aspects of the workload context 102 provide guid-
`Bycorrelating and combining threat information, vulner-
`ance into operation of the system and method. When an asset
`ability data and workload context, and rapidly updating the
`ance into operation of the system and method. Whenan asset
`ability data and workload context, and rapidly updating the
`(e.g., a virtual machine or a virtual application) is created
`prioritization score that results from Such analysis, the
`(e.g., a virtual machine or a virtual application) is created
`prioritization score that results from such analysis,
`the
`and deployed in a virtual environment, information about
`and deployed in a virtual environment, information about
`disclosed system and method provide information that is
`disclosed system and method provide information that is
`the asset can be written as metadata to one or more tags (see
`the asset can be written as metadata to one or more tags (see
`more context-based than the CVSS (common vulnerability
`more context-based than the CVSS (common vulnerability
`FIGS. 2 and 3). Further information can be written to tags as
`FIGS. 2 and 3). Further information can be written to tags as
`scoring system) score.
`scoring system) score.
`situations occur. Static tags 104 have information about tag
`situations occur. Static tags 104 have information about tag
`Adding dynamic context about which Vulnerabilities are
`Adding dynamic context about which vulnerabilities are
`categories, i.e., each tag category could have one or more
`categories, i.e., each tag category could have one or more
`being exploited using known exploits, and relating this to
`being exploited using known exploits, and relating this to
`tags as information about the asset. These static tags 104
`tags as information about the asset. These static tags 104
`environmental characteristics of an asset, provides an
`environmental characteristics of an asset, provides an
`could also be referred to as operational tags, in that the static
`could also be referred to as operationaltags, in that the static
`improved mechanism of determining whether or not a given
`improved mechanism of determining whetheror not a given
`tag 104 specifies aspects of the operation of the asset. Static
`tag 104 specifies aspects of the operation of the asset. Static
`virtual machine or virtual application is at high risk from an
`virtual machineor virtual application is at high risk from an
`tag information affects the workload context 102 of the
`tag information affects the workload context 102 of the
`attack perspective. Considering only a CVSS score reported
`attack perspective. Considering only a CVSS score reported
`asset. Dynamic tags 106 have information that is subject to
`asset. Dynamic tags 106 have information that is subject to
`by a VA (Vulnerability assessment) product could be mis
`by a VA (vulnerability assessment) product could be mis-
`change during the lifespan of the asset. Dynamic tags 106
`change during the lifespan of the asset. Dynamic tags 106
`leading or insufficient, as the CVSS score does not consider
`leading or insufficient, as the CVSS score does not consider
`can also be referred to as security tags, since the changing
`can also be referred to as security tags, since the changing
`factors of the asset environment that drive the criticality or
`factors of the asset environmentthat drive the criticality or
`information is of interest regarding security of the asset.
`information is of interest regarding security of the asset.
`risk exposure of the asset. For example, a possible high
`Dynamic tag information affects the workload context 102
`risk exposure of the asset. For example, a possible high
`Dynamic tag information affects the workload context 102
`CVSS score could be indicated for an asset that has a low
`of the asset. Dynamic information and security events 108
`CVSS score could be indicated for an asset that has a low
`of the asset. Dynamic information and security events 108
`risk of being exploited in some instances. Meanwhile, an
`affect the workload context 102, particularly as to Vulner
`risk of being exploited in some instances. Meanwhile, an
`affect the workload context 102, particularly as to vulner-
`asset with a high vulnerability but a low CVSS score may
`ability of the asset. Some of the dynamic information and
`ability of the asset. Some of the dynamic information and
`asset with a high vulnerability but a low CVSS score may
`security events can be written to the dynamic tags 106.
`still be attacked depending upon other environmental factors
`security events can be written to the dynamic tags 106.
`still be attacked depending upon other environmental factors
`in the asset environment such as threats associated with the
`FIG. 2 is a schematic diagram, showing how threat
`in the asset environment such as threats associated with the
`FIG. 2 is a schematic diagram, showing how threat
`25
`Vulnerability, probability of attack based on workload or VM
`information 208, scanned vulnerability data 210 and work
`information 208, scanned vulnerability data 210 and work-
`vulnerability, probability of attack based on workload or VM
`25
`(virtual machine) positioning, compensating controls or
`load context as tags, information 204, 206 for the asset 224
`load context as tags, information 204, 206 for the asset 224
`(virtual machine) positioning, compensating controls or
`primary controls present in the asset environment, etc.
`are combined into a contextual correlation, so that a priori
`are combined into a contextual correlation, so that a priori-
`primary controls present in the asset environment,etc.
`Security Operations (also referred to as Sec Ops) teams
`tization score 218 is produced in some embodiments. Threat
`tization score 218 is produced in some embodiments. Threat
`Security Operations (also referred to as Sec Ops) teams
`need solutions that help them distinguish the critical vul
`information 208 comes from one or more threat intelligence
`information 208 comes from one or morethreat intelligence
`need solutions that help them distinguish the critical vul-
`nerabilities from the noise or false-positives. For example, a
`systems (see FIG. 3). Vulnerability data 210 comes from one
`systems(see FIG. 3). Vulnerability data 210 comes from one
`nerabilities from the noise or false-positives. For example, a
`mission critical Internet Banking web server may have
`or more scanners (see FIG. 3). Tag information 204, 206
`or more scanners (see FIG. 3). Tag information 204, 206
`mission critical Internet Banking web server may have
`multiple known vulnerabilities, but which of those present
`comes from one or more tags 202 in the virtualization
`comes from one or more tags 202 in the virtualization
`multiple known vulnerabilities, but which of those present
`genuine risk to the organization may be unknown. Various
`ecosystem like VMware of the asset 224. Threat intelligence
`ecosystem like VMwareofthe asset 224. Threat intelligence
`genuine risk to the organization may be unknown. Various
`systems such as DEEPSIGHT provide threat information
`embodiments of a system and method described below
`systems such as DEEPSIGHT provide threat information
`embodiments of a system and method described below
`identify assets as to criticality of Vulnerability, thereby
`208 about external threats. The embodiments of the system
`208 about external threats. The embodiments of the system
`identify assets as to criticality of vulnerability,
`thereby
`and method described herein correlate vulnerabilities with
`lowering incidence of false positives and increasing aware
`and method described herein correlate Vulnerabilities with
`lowering incidence of false positives and increasing aware-
`emerging threats to derive threat exposure, the risk the
`ness of assets that are critical, which may require immediate
`emerging threats to derive threat exposure,
`the risk the
`ness of assetsthat are critical, which may require immediate
`Vulnerability poses, and the importance of remediating Such
`attention of a security operations team. This solves a critical
`
`attention of a security operations team. Thissolvesacritical vulnerability poses, and the importance of remediating such
`problem in virtualization space, by identifying, correlating,
`risk. Threats play an important role in deriving the exploit
`problem in virtualization space, by identifying, correlating,
`risk. Threats play an important role in deriving the exploit-
`calculating and determining the prioritization of Vulnerabili
`ability characteristics of a vulnerability depending on the
`calculating and determiningtheprioritization of vulnerabili-
`ability characteristics of a vulnerability depending on the
`ties that pose serious risk to an organization that has oper
`asset environment. For example, a Vulnerability found on a
`ties that pose serious risk to an organization that has oper-
`asset environment. For example, a vulnerability found on a
`web server facing to internet with a CVSS score of “10” may
`ating assets in a virtualized environment.
`ating assets in a virtualized environment.
`webserver facing to internet with a CVSS score of “10” may
`The system and method employ an algorithm that corre
`have a serious impact if exposed to an external threat, as
`The system and method employ an algorithm that corre-
`have a serious impact if exposed to an external threat, as
`lates vulnerabilities with contextual
`information such as
`compared to the same Vulnerability existing on a web server
`lates Vulnerabilities with contextual information such as
`compared to the same vulnerability existing on a web server
`threat data and virtualization tags (e.g., as provided in the
`that is sitting in a LAN (local area network) with an
`threat data and virtualization tags (e.g., as provided in the
`that
`is sitting in a LAN (local area network) with an
`exposure to the same threat but with a low impact. Threat
`virtualization environment by a vendor such as VMware,
`virtualization environment by a vendor such as VMware,
`exposure to the same threat but with a low impact. Threat
`information 208 reported by systems such as DEEPSIGHT
`etc). The algorithm works on a three dimensional (or three
`etc). The algorithm works on a three dimensional (or three
`information 208 reported by systems such as DEEPSIGHT
`or other systems may include a common Vulnerabilities and
`axis) model in Some embodiments. The three dimensions are
`axis) model in some embodiments. The three dimensionsare
`or other systems may include a common vulnerabilities and
`summarized below:
`exposures identifier (CVEID) 220 that identifies a specific
`summarized below:
`exposures identifier (CVE ID) 220 that identifies a specific
`Dimension#1—Vulnerability (e.g., as reported by Vulner
`Vulnerability and/or a specific exposure that a particular
`Dimension#1—Vulnerability (e.g., as reported by vulner-
`vulnerability and/or a specific exposure that a particular
`threat exploits, the operating system (OS) targeted by a
`ability assessment products). Related data could
`ability assessment products). Related data could
`threat exploits,
`the operating system (OS) targeted by a
`particular threat, the threat impact, a specific threat type
`include base/temporal CVSS score, common vulner
`include base/temporal CVSS score, common vulner-
`particular threat, the threat