Intelligent Prioritization: is it possible to discover and fix vulnerabilities while reducing hours of work?

Security and vulnerabilities in Information Security, Systems, and Online Applications have never been so exploited. With the increasing number of users and customers relying on digital solutions, especially during the pandemic, the market has soared like never before. The global e-commerce sector, for example, reached a staggering $26 trillion in transactions—a figure that continues to rise. However, this historic growth comes with its own set of risks.

Security as a Competitive Advantage
The Brazilian market responded to this situation, with 57% of Brazilian companies increasing their investments in Information Security. In addition to securing the necessary resources to sustain growth, this investment aims to protect the company’s assets and processes. Many companies have done so to comply with the General Data Protection Law (LGPD), while others have taken action due to the alarming number of data breaches, fraud, cybercrimes, and attacks exploiting flaws and vulnerabilities in their systems.

The Need for Prioritization
It is no surprise that many Managers, Directors, and Chief Technology and Security Officers find themselves overwhelmed, as do their teams. To mitigate a flaw or vulnerability, it is crucial to prioritize based on its impact, the likelihood of exploitation, and the context of the potentially affected assets for the business. However, this task becomes exhausting due to the vast number of vulnerabilities and their technical complexities. It is common to hear that "everything is important," further complicating the task of identifying, prioritizing, and resolving gaps.

Wasting Team Time
Companies often turn this work into a strenuous manual task. Traditional tools used to identify vulnerabilities do not consider the actual impact, likelihood of exploitation, and the context of the company’s assets during their "prioritization." This repetitive and manual workload drains hours of analysts’ time, is costly for the organization (requiring significant man-hours), and diverts attention from real issues.

To illustrate: An e-commerce company has specific needs, environments, and applications, with vulnerabilities posing a greater risk to it than similar vulnerabilities would to companies in other sectors. If the tool does not comprehend the context of the environments and applications, there is no genuine prioritization, and the most critical flaws for that organization remain unresolved.

Considering Impact, Probability, and Context
The outdated and inefficient approach to prioritization does not meet the rapid implementation speed of new technologies, the dynamism of agile, and the cycles of DevOps. It would require a specialist to evaluate the vulnerabilities in depth, one by one, separating the wheat from the chaff. Moreover, analysts would have to assess the probability of the vulnerability actually being exploited in an attack and consider its criticality—how significantly it would affect the technologies already utilized by the company and the business model itself.

Prioritization, Triage, and Automation
It is with this solution in mind that Unxpose’s automated prioritization was developed, focusing on the evaluated vulnerabilities. Experts with decades of experience select, one by one, the most relevant flaws with a low probability of false positives, filtering out likely noise.

Subsequently, the solution assesses the actual impact of each vulnerability in our database. This exercise is repeated periodically to keep the impact information current. During the curation process, our specialists evaluate the real probability of the flaw being exploited by an attacker in today’s landscape, considering the most common scenarios and threats. The solution also clearly explains each finding and its potential implications for the business. In this way, users will know where to act first and why, optimizing resources and increasing efficiency.

Determining the Total Risk of an issue
Understanding the importance of assets to the company’s business is essential. Coupled with Asset Discovery, Unxpose utilizes proprietary technology called Asset Contextualization, whereby the platform learns the function of the assets within the company, evaluating their potential impact on the business. Should the user wish to increase or decrease the criticality of the assets, they have full autonomy for customization.

Based on these principles, Unxpose Scoring operates, an algorithm responsible for the intelligence behind automated prioritization. The platform has four scoring levels: Vulnerability Score, Asset Score, Asset Group Score, Category Score, and the overall Unxpose Score.

By classifying and prioritizing each flaw, Unxpose feeds the vulnerability management dashboard, eliminating the need for a Security specialist to engage in these activities, thereby saving extensive valuable hours of work for analysts and their superiors.