Prioritizing vulnerability patches in large networks

Abstract

We consider here the question of prioritizing the patching of security vulnerabilities to prevent network attacks. Patching all vulnerable machines at once in large modern organizations is not feasible due to the large scale of their networks and the inability to halt operation during maintenance. This article explores two aspects of security maintenance: a method for prioritizing vulnerability patches, and visualization of the priorities to aid in decision making. State-of-the-art methods rank vulnerabilities by analyzing the connectivity graph or the logical attack graph and present the results in a table form, a view of the organizational network with highlighted failure points, or even the complete attack graph, in either case flooding the human operator with a lot of hardly comprehensible information. We suggest a Network Topology Vulnerability Score (NTVS) which shows preferable results by ranking vulnerabilities in a planning graph — an interim data structure used by planners when analyzing logical attack graphs. We also suggest a new abstracted presentation of the network in order to ease the comprehension of NTVS scores. The principal results obtained on two real networks show that patching vulnerabilities prioritized by NTVS leads to a faster decrease in the number of available attack paths toward the critical assets. A user study with a panel of security experts shows that the proposed visualization is considerably better than current commercial tools, helping experts to both prioritize vulnerability patches, and explain their decisions to higher management and to operation teams.