The problems with secret algorithms in vulnerability management software

Many vulnerability prioritisation platforms available in the market use secret algorithms. We believe that this is a big problem as this lack of transparency in the rules behind the ranking could lead to critical vulnerabilities being overlooked.  In this article, we’ll explain why.

To start, let’s consider CVSS, or the Common Vulnerability Scoring System as it is otherwise known. It is a free and public framework for assessing the severity of security vulnerabilities, scoring each from 0 to 10, with 10 being the most severe. It doesn’t use a secret algorithm; it’s completely transparent with scores being based on the vulnerability’s exploitability, impact and the availability of remediating controls, such as a patch.  With thousands of different types of vulnerabilities, this was seen as a great tool to quickly and easily support prioritisation. However, unless you then invest time in setting the additional optional elements for the temporal and environmental scores, it will not factor in any variations for the size or type of your business. As a result, the CVSS score cannot be assumed to be accurate whatsoever.

We believe there has to be more thought and consideration invested in the prioritisation process. We’re not the only ones that feel this way which is why there are so many vulnerability prioritisation tools in the market. Yes, of course, the need to hand over or automate the task of manual triage is huge as it takes up so much of the precious time required for remediation itself, but beyond that, prioritisation platforms are there to add value to the ranking process, with intelligence and more. The intended result is an effective vulnerability management program.

CVSS cannot be any more accurate; the volume of vulnerabilities it has to serve is too big. Our question to you is, if a vulnerability prioritisation platform is hiding behind a secret algorithm, which many do, how can you be sure it is prioritising correctly for your business? Can you be confident that of the thousands of clients it has, you’re each receiving a service which treats you all differently? We’re certain you can’t.

Why? Well aside from the sheer volume of clients it has to work with – that’s a lot of data to sort through and a lot of insight about a business to keep on top of – just how much does it really understand about your specific business? Consider size, industry, network, IT ecosystem, employee behaviours, extent of security training, size of cybersecurity team, operations etc. With so many factors in play to make your business different, how well can a platform you’ve played no part in helping to influence its decision making process prioritise your vulnerabilities? How well does it really know your environment? A lack of knowledge and understanding could lead to a vulnerability on a host that is completely segregated being prioritised over an unpatched web server. Disaster.

We understand the need to use algorithms: they enable technology companies to scale. Facebook, Amazon, they all use them. And we also understand the need to keep them secret – they need to protect their IP. But that doesn’t mean it’s right for your vulnerability management program. Algorithms that don’t take into account the whole picture of a vulnerability can result in incorrect prioritisation.

We believe that transparency in vulnerability prioritisation is vital as it helps users to see how the platforms work and make the best use of them.

With RankedRight, there are no secret algorithms. Our secret ingredient is you. You set the rules for prioritisation using our rule book as a template and our industry-leading vulnerability intelligence as support. This means that you have full transparency over why prioritisation decisions are being made and you have the peace of mind that they have been made in full accordance with your business systems, policies, behaviours and needs.

Not only that, but you can play a part in setting rules for delegation too, factoring in the resource and skills you have across your team and assigning tasks accordingly. After all, the reason you use a prioritisation tool is to get to effective remediation more quickly. Therefore, the assigning of tasks has to be a part of that too.

A final point we’ll leave with you if you’re on the fence about how important transparency is when it comes to vulnerability prioritisation: cyber insurance. No matter how hard we all work to protect our businesses from attack, breaches are still inevitable, hence the need for cover. By giving your insurer full confidence in the decision making process behind every action within your vulnerability management program, you can work to keep premiums down.  

Choose a platform that doesn’t keep secrets and puts you in control.