Page 400 - Kaleidoscope Academic Conference Proceedings 2024
P. 400

2024 ITU Kaleidoscope Academic Conference




           knowledge,  but  also  provide  the  capability  to  infer  and   •  Providing  a  complete  downloadable  repository  of  the
           deduce new insights from the knowledge set. This need for   compiled data in a suitable format. These formats are
           convergence forms the primary motivation to work upon a   often in CSV, HTML, JSON or XML format and they
           solution  that  can  comprehensively  present  vulnerability   ensure  that  the  entire  data  is  directly  accessible  for
           intelligence in a consistent format. However, the information   processing  as  per  one’s  requirements  and  does  not
           overload  and  the  eventual  data  explosion  from  multiple   depend on constant network connections. However, this
           vulnerability databases poses challenges for organizations to   also requires constantly ensuring that the downloaded
           when attempting to make informed decisions. Any manual   version is up to date and requires preprocessing every
           effort  in  aggregation  or  categorization  only  delays  and   time a new downloadable version of the repository is
           introduces  errors  in  presentation  of  pertinent  information.   available.  Examples include the MITRE’s CVE list.
           This  presents  the  need  for  a  solution  that  can  distill  and   •  Providing  vulnerability data  feeds  for  consumption  at
           prioritize them specific to individual development ecosystem   regular intervals. This mode requires regular connection
           Furthermore,  as  mentioned  earlier,  the  field  of  forensic   with  the  data  feeds  and  periodically  updating  the
           analysis can gain significant advantages from a vulnerability   vulnerability  data  mirrored  from  the  main  repository
           intelligence platform that can aid in the analysis of attack   through available options. However, the cyber security
           scenarios. It is yet another crucial motivation to develop a   practitioner community has often deemed that APIs are
           platform that is advantageous in a multi-disciplinary fashion.   a significantly better option over data feeds when web-
                                                                  based  automation  is  in  consideration  [12].  Examples
           4.9   Contemporary  Approaches  for  Vulnerability     include the Kaspersky open-source software threats data
                 Intelligence                                     feed and several data feeds provided by NVD.

           Traditionally,  vulnerability  intelligence  platforms  may   4.10  Related Works
           aggregate  data  from  many  sources  without  adding  any
           context  to  the  information.  Such  extensive  information   Vulnerability  scanners  work  in  close  relation  with
           without  any  added  context  or  distillation  may  prove   vulnerability  databases  for  vulnerability  management  and
           extremely overwhelming and burdensome when attempting   hence,  often  become  synonymous.  Tools  like  Greenbone
           vulnerability analysis or gathering vulnerability intelligence.   Networks’  OpenVAS  and  Tenable’s  Nessus  work  with
           Often in such scenarios, threat intelligence platforms often   customized  CVEs  [13],  many  of  which  are  indexed  from
           configure  their  intelligence  from  only  the  most  rated   NVD.  However,  these  vulnerability  databases  stay  as  a
           vulnerabilities [11] and while this approach is more focused   proprietary  feed  for  the  tools  themselves  and  cannot  be
           if the aggregation context is in alignment with the needs of   aggregated with other sources. NVD and OSV are the two
           the organization, this strategy may eventually cause loss of   prominent   databases   that   allow   for   open-source
           valuable  vulnerability  information  for  a  different  context   collaboration through their feeds and data buckets. However,
           than  what  is  presumed.  Furthermore,  while  initially,   both work with different schemas to represent information.
           monitoring  selective  feeds  individually  may  appear  to
           address  the  issue  of  information  overload,  this  method   4.11  Limitations
           ultimately falls short in providing a comprehensive view and
           can potentially result in the inefficient expenditure of both   While  all  approaches  available  for  building  vulnerability
           effort and time.                                   intelligence  involve  preprocessing  of  data  aggregated  in
                                                              order to derive pertinent insights, the mode of collecting and
           The  current  approaches  for  fetching  vulnerability   persisting the vulnerability data plays an important role in
           intelligence  are  in  lines  with  one  of  the  following  three   efficiency  of  the  vulnerability  intelligence  product.  Most
           methodologies:                                     contemporary  products  in  the  vendor  market  build  their
                                                              vulnerability  intelligence  from  one  or  more  common
           •   Building an Application Programming Interface (API)  vulnerability repositories, processing them according to their
               to serve relevant vulnerability lists. APIs provide real  design and updating it over the network from time to time.
               time  access  to  the  data  and  the  search  parameters  This processing is often kept proprietary and apart from a
               provide significant flexibility to retrieve pertinent data.  mention of the names of vulnerability databases used, mostly
               The search parameters can range from date ranges and  CVE, everything is opaque to the user. On the other hand,
               specific keywords to a specific vulnerability identifier.  the open-source products or tools are often very simplistic
               The results are in the form of the individual standardized  and pre-customized with much less flexibility. They define
               schemas as supported by the repository chosen and vary  their own limitations, depending on the resources available
               from source to source. The information overload is still  with  them  and  may  not  suffice  for  organizations  which
               predominant here as the formats may be too complex for  intend to build a comprehensive vulnerability intelligence.
               parsing  them  easily  via  scripts.  APIs,  when  provided  Even official vulnerability scanners such as the OSV scanner,
               free  of  cost,  often  have  a  rate  limit  or  access  limit  which  build  upon  the  OSV  database  itself  [5],  produces
               associated with their use. However, they serve as the  output in simple text format that requires further codebase
               common data feeds for most vulnerability intelligence  processing  and  development  to  produce  visual  dashboard
               products since they are more flexible and usually offer a  level insights. This extra effort is provided with proprietary
               rich dataset. Examples include the NVD APIs.   solutions mostly and has the added financial cost of licenses.





                                                          – 356 –
   395   396   397   398   399   400   401   402   403   404   405