| Computer security vulnerabilities span large enterprise networks and must be routinely mitigated by security engineers. Presently, security engineers assess their "risk posture" through quantifying the number of vulnerabilities with a high Common Vulnerability Severity Score (CVSS). There are, however, overlooked factors such as vulnerability persistence, survival rates, and vulnerability age. Additionally, consideration of whether the host service is mission critical, or accounting for the total available personnel-hours needed for a structured vulnerability response program is lacking from current assessment tools. Indeed, vulnerabilities tend to be addressed in an ad-hoc manner. This Thesis aims to address these problems by using over a year of real vulnerability data collected from a Cyber-Security Operations Center (CSOC) and then developing and experimenting with the following methods of analysis on the data.;A vulnerability data parsing process is presented and an in-depth univariate and bivariate analysis is performed on the vulnerability arrival and deletion process. A determination is presented on which distributions best characterize the vulnerability arrival and deletions processes. Then, a quantification and visualization of the dependencies between vulnerability arrivals and deletions is reviewed through a bivariate scatterplot and statistical observations. Next, a novel approach is developed to quantify the length of time a vulnerability persists on the network and its time to- remediation. Investigations are then made on determining which features predict shorter vulnerability survival rates: vulnerability severity levels, whether or not the vulnerability appeared on a mission-critical service, vulnerability age, and which operating system type the vulnerability appeared on.;Finally, a novel mathematical model called VULCON (VULnerability CONtrol) is described and defined. It aims to achieve more effective vulnerability management strategies based on two fundamental performance metrics: i). Time-to-Vulnerability Remediation (TVR) and; ii). Total Vulnerability Exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality and personnel resources. VULCON uses a mixed integer multi objective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. Results indicate a sharp improvement in the overall TVE score and reduced rates of vulnerability persistence, average age, and severity levels when compared to the baseline performance. Additionally, this Thesis demonstrates how VULCON can determine monthly resources required to maintain a target TVE score.;As such, the combination of the data parsing process, exploratory analysis, survival probability estimates, Cox-proportional hazards regression model, and VULCON provide valuable operational guidance for structuring CSOC vulnerability response programs. |
