Recently, the NCSC has been enhancing its approach to data-driven cybersecurity (DDC). The aim is to foster an evidence-based mindset for cybersecurity decisions, both in offering guidance to external organisations and in managing our internal security protocols.
The complexity of enterprise cybersecurity is on the rise, leading many teams to hesitate in integrating an extra ‘data layer’ for fear of being overwhelmed. This post seeks to illustrate how focusing on clear, manageable insights can facilitate the embrace of data-driven cybersecurity.
This example illustrates a partnership between two divisions within the NCSC:
- the Vulnerability Reporting Service (VRS)
- the Data Campaigns and Mission Analytics (DCMA) team
The Vulnerability Management Team spearheads the NCSC’s response to vulnerabilities, whereas DCMA applies its data science and analytical expertise to furnish the NCSC Government Team with evidence-backed security insights.
Actionable Insights to Drive Decisions
Many government teams, including the VRS, collect and analyse extensive data. The dilemma lies in determining the optimal way to analyse this data, compounded by a common misconception that valuable insights necessitate a complete renovation of existing workflows.
This misconception arises from the belief that executing DDC means funneling all data into an intricate ‘master formula’ to uncover hidden insights. Instead, it’s crucial to understand that DDC, particularly in its nascent stages, should be perceived as a mechanism for generating ‘small yet actionable insights’ that enhance decision-making. By adopting a simpler and more concentrated approach, significant advantages can be realised.
Vulnerability Avoidability Assessment
In the case of the VRS, we pursued this very strategy, starting with the available datasets and concentrating on a singular insight that could lead to a substantial, evidence-based dialogue about security.
We developed the Vulnerability Avoidability Assessment (VAA), an analysis tool that exploits two internal data sources and one public source to ascertain the percentage of vulnerability reports attributed to outdated software. The data sources included:
- number of vulnerability reports received by VRS
- number of reports listing outdated software as a factor
- public vulnerability disclosure database
This analytic was designed with the understanding that patch management is a category of vulnerability amenable to change, facilitating a deeper examination of the connection between patch management and vulnerabilities reported to the VRS, thus cultivating a meaningful discussion on prevention and reduction strategies.
Our Insights
We gained valuable insights into the ramifications of unpatched software on government systems by comparing the number of vulnerability reports stemming from outdated software with data from an open-source database. This provided insights into how long these vulnerabilities had been publicly known and the timeline of when patches were issued.
Employing the discussed approach, we defined an ‘avoidable vulnerability’ as one that has been publicly acknowledged for sufficient time, to the degree that a diligent organisation would be expected to have implemented the necessary updates and patches.
Our assessment of 2022’s data revealed that each month, the VRS received a significant volume of vulnerability reports directly linked to outdated software, with percentages ranging from 1.6% to a peak of 30.7% in a single month, throughout the year.
| Month (2022) | Total Vulnerability Reports | Vulnerabilities due to Unpatched Software | Proportion of Avoidable Vulnerabilities (%) |
|---|---|---|---|
| January | 64 | 3 | 4.7 |
| February | 58 | 9 | 15.5 |
| March | 128 | 36 | 28.1 |
| April | 101 | 31 | 30.7 |
| May | 92 | 15 | 16.3 |
| June | 141 | 34 | 24.1 |
| July | 65 | 0 | 0 |
| August | 81 | 8 | 9.9 |
| September | 58 | 4 | 6.9 |
| October | 62 | 1 | 1.6 |
| November | 88 | 8 | 9.1 |
| December | 97 | 7 | 7.2 |
Table 1. Comparison of out-of-date software reports with total vulnerability reports throughout 2022.
We further examined the duration that software vulnerabilities remained unpatched before exploitation. Referring to NCSC guidelines, which advise applying all updates for critical or high-risk vulnerabilities within 14 days (NCSC Cyber Essentials guidance on ‘Security Update Management’, Page 13), we established a consistent timeframe of 30 days for applying patches, irrespective of severity. By segmenting the timelines into these intervals, we discovered that 70% of outdated software vulnerabilities reported to the VRS had gone unpatched for beyond 30 days.
Chart 1. Duration for which a vulnerability has been publicly known.
This newfound awareness allowed the VRS team to engage in evidence-based discussions with stakeholders regarding their patch management strategies, equipping them with data insights to support arguments aimed at significantly decreasing the number of vulnerability reports related to government systems.
Final Thoughts
The path towards DDC underscores the crucial value of utilising data for making informed security decisions. The collaboration between the VRS and DCMA provides a definitive illustration of how data can successfully guide decision-making. Organisations must recognise that implementing DDC does not require a complete revamp of existing frameworks; instead, it focuses on deriving small yet impactful insights that can influence behaviours and decisions.
Joshua L
Data Scientist, NCSC
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/data-driven-cyber-empowering-security-focused-insights
