Recently, the NCSC has intensified its focus on data-driven cyber strategies (DDC). Our primary aim is to promote the implementation of an evidence-based approach to cyber security decisions, both in our guidance to external organizations and in our internal security measures.
We recognize that enterprise-level cyber security is increasingly complex, leading many teams to hesitate in embracing an additional ‘data layer’ out of fear of being overwhelmed. Through this blog post, we seek to illustrate how concentrating on manageable, actionable insights can empower teams to adopt data-driven cyber security effectively.
Our example illustrates a partnership between two departments within the NCSC:
- The Vulnerability Reporting Service (VRS)
- The Data Campaigns and Mission Analytics (DCMA) team
The Vulnerability Management Team spearheads the NCSC’s efforts to address vulnerabilities, while the DCMA team utilizes their data science and analysis skills to furnish the NCSC Government Team with vital evidence-based security insights.
Small Actionable Insights Propel Action
Numerous government teams, including the VRS, collect and oversee extensive amounts of valuable data. They face the challenge of effectively analyzing this data amidst the belief that generating useful insights necessitates a complete transformation of current workflows.
This belief is rooted in the misconception that deploying DDC entails integrating all data into a sophisticated ‘master formula’ to derive hidden insights and stories. However, it is crucial to view DDC as a tool for generating ‘small yet actionable insights’ that can enhance decision-making, especially at the outset. This simpler and focused strategy can yield substantial benefits.
Vulnerability Avoidability Assessment
In the scenario involving the VRS, we took that approach by starting with the available data sets and focusing on a single insight that could foster a significant evidence-based security dialogue.
To achieve this, we developed the Vulnerability Avoidability Assessment (VAA), an analysis that utilizes two internal data sources and one external source to assess the proportion of vulnerability reports stemming from outdated software. The data sources included:
- The total number of vulnerability reports received by VRS
- The number of reports identifying outdated software as a reason
- A public vulnerability disclosure database
This analysis was created with the understanding that patch management is a vulnerable area that can be addressed, and examining the relationship between patch management and the vulnerabilities reported through the VRS would provide a basis for discussions on how to potentially avert or reduce these vulnerabilities.
Our Analysis
We obtained a deeper understanding of the repercussions of unpatched software on government systems by comparing the number of vulnerability reports linked to outdated software with data from an open-source database. This database provided estimates on how long these vulnerabilities had been publicly accessible and when corresponding patches became available.
By applying this methodology, we defined an ‘avoidable vulnerability’ as one that has been publicly known for a significant duration, to the point where a responsible organization would be expected to have implemented the necessary updates and patches.
Our examination of data from 2022 unveiled that each month, the VRS received a significant number of reports corresponding to software that was not updated. This ranged from 1.6% to a peak of 30.7% of vulnerabilities in a single month throughout the year.
Table 1. Total Number of Outdated Software Reports Compared to All Vulnerability Reports Received in 2022.
| Month (2022) | Total Vulnerability Reports | Reports of Unpatched Software | Proportion of Avoidable Vulnerabilities (%) |
|---|---|---|---|
| Jan | 64 | 3 | 4.7 |
| Feb | 58 | 9 | 15.5 |
| Mar | 128 | 36 | 28.1 |
| Apr | 101 | 31 | 30.7 |
| May | 92 | 15 | 16.3 |
| Jun | 141 | 34 | 24.1 |
| Jul | 65 | 0 | 0 |
| Aug | 81 | 8 | 9.9 |
| Sep | 58 | 4 | 6.9 |
| Oct | 62 | 1 | 1.6 |
| Nov | 88 | 8 | 9.1 |
| Dec | 97 | 7 | 7.2 |
We also explored the duration for which software vulnerabilities remained unpatched before being exploited. Referring to NCSC guidance, which advises that all updates for high-risk vulnerabilities should be applied within 14 days (NCSC Cyber Essentials guidance on ‘Security Update Management’, Page 13), we adopted a 30-day threshold as a uniform timeline for applying patches, irrespective of their severity. By categorizing the durations into these segments, we discovered that 70% of outdated software vulnerabilities reported to the VRS were due to unpatched software for over 30 days.
Chart 1. Illustrates the duration a vulnerability remained in the public domain.
This newfound understanding empowered the VRS team to engage in evidence-based discussions with stakeholders about their patch management strategies. By providing data insights, we could advocate for meaningful reductions in the number of vulnerability reports received by the VRS related to government systems.
Conclusions
The journey towards adopting DDC has underscored the significant value of leveraging data for evidence-based security decisions. The collaboration between the VRS and the DCMA team exemplifies how data-driven insights can guide decision-making. Organizations must understand that embracing DDC does not necessitate a full systems overhaul, but rather the capacity to focus on deriving small yet actionable insights that can influence behaviors and governance.
Joshua L
Data Scientist, NCSC
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/data-driven-cyber-empowering-security-focused-insights
