Abstract:
The ever-increasing trend of discovery of new vulnerabilities has created a challenge
enterprise and organization to secure themselves from the associated threats. The past
few years alone have witnessed many such critical vulnerabilities which were reported
to cost considerable losses to the organizations. Although vendors and developers
publish patches before an exploit is made publicly available but due to the
unmanageable problem of deploying patches in the production environment,
organizations fail to secure their systems and the exploits make way into their
infrastructure. This is attributed towards the multi-dimensional challenges faced by the
organizations such as production downtime, cost of patching versus the available
resources and the potential impact of running into an unforeseen issue and loss of
business both in terms of reputation and profit.
This has given rise to finding out methods in cases of emergency patching, where
waiting for periodic cycle is not tolerable for organization to prioritize the enterprise’s
most valuable assets which can be secured against the vulnerabilities while keeping
downtime and business loss to the minimum. While the efforts have produced various
models and results, they have only been able to produce a generic output which do not
provide a solution to every enterprise with various business dynamics. One such
example is the Common Vulnerability Scoring System (CVSS). Although CVSS tries
to accommodate environmental factors, but it lacks the knowledge of various
organizational processes and challenges faced in patching. We have provided an asset
prioritization solution based on the CVSS framework and enriching it with
organizational constraints by following the weighted sum model.
To make it more organization specific, we have allowed the input of business
constraints and resources and employed SMT solvers to produce a solution which is
more specific and provides opportunity to secure maximum number of valuable assets
under those constraints for a specific vulnerability. The outcome of this research is
validated by subject matter experts and have been found to be helpful than the
approaches they have been following in the past.
