PNNL

Abstract

Vulnerability remediation is a critical task in operational software and network security management. In this paper, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: i). Time-to-Vulnerability Remediation (TVR) and; ii). Total Vulnerability Exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed integer multi-objective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a Cyber-Security Operations Center (CSOC). Results indicate an overall Total Vulnerability Exposure reduction of 8.97\% when VULCON optimizes a realistic security analyst workforce's effort. Additionally, it is demonstrated that VULCON can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.