VULCON A System for Vulnerability Prioritization, Mitigation, and Management

• Published in: ACM transactions on privacy and security Vol. 21; no. 4; pp. 1 - 28
• Main Authors: Farris, Katheryn A., Shah, Ankit, Cybenko, George, Ganesan, Rajesh, Jajodia, Sushil
• Format: Journal Article
• Language: English
• Published: United States 30.11.2018
• ISSN: 2471-2566; 2471-2574
• DOI: 10.1145/3196884

Vulnerability remediation is a critical task in operational software and network security management. In this article, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: (1) time-to-vulnerability remediation (TVR) and (2) total vulnerability exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed-integer multiobjective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a cyber-security operations center (CSOC). Results indicate an overall TVE reduction of 8.97% when VULCON optimizes a realistic security analyst workforce’s effort. Additionally, VULCON demonstrates that it can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.