Why vulnerability management needs a refresh [Q&A]
Adversaries are exploiting new vulnerabilities much faster than organizations are remediating them. As a result, prioritizing the wrong vulnerabilities will squander security teams' most critical resource -- time.
So, how can organizations prioritize the right threats? We spoke with Anthony Bettini, founder and CEO of VulnCheck, to find out.
BN: Can you give us a sense of where the vulnerability management process stands today?
AB: Sure thing. It's helpful to look back for a little context. In 2018, exploit weaponization of vulnerabilities took just under a year. Security analysts had more time to monitor and react to threats. Fast forward to today, exploit weaponization is down to just eight days. That means the same teams need to act much quicker to avoid breaches and hacks.
The good news for them? Most vulnerabilities are not exploited in the wild. In fact, roughly 2.25 percent of vulnerabilities end up being associated with active attacks or weaponized exploits. Unfortunately, that information isn't readily available to most security teams. And as a deluge of vulnerabilities pours in every month from Patch Tuesday and other vendor updates, most teams are at a disadvantage as they try to solve the prioritization challenge.
BN: Why are security teams at a disadvantage when it comes to information available to them today for vulnerability management?
AB: Teams are at a distinct disadvantage because the threat intelligence available to them from commercial platforms and resources like the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), MITRE's CVE database, and the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerability (CISA KEV) catalog is often too slow and lacking context to be relied on. In fact, in the case of vulnerabilities exploited in the wild, vendor advisories, security researchers, and government alerts often pre-date the NIST NVD by 50 days or more.
BN: CVSS scores are what some teams use to prioritize vulnerabilities. Is that helpful?
AB: CVSS is a measure of severity, not risk. A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that are critical in a vacuum but not critical in terms of risk to their organization. Vulnerability management teams are expected to do a lot with very little time, so focusing on the wrong thing can squander a team’s more precious resource: time.
An example of this is CVE-2022-36446. NVD lists it as a critical vulnerability (9.8) when it is, in reality, a high, bordering on medium, vulnerability (7.2). The time teams spent remediating CVE-2022-36446 could have been spent remediating a vulnerability that is actually critical with exploits documented in the wild.
BN: So, how should teams be thinking about reshaping vulnerability management?
AB: To help accurately prioritize a vulnerability, organizations need to set up systems that enable them to answer the following questions:
- Does this vulnerability have a public exploit?
- Has this vulnerability been exploited in the wild?
- Is this vulnerability being used by ransomware groups or APT?
- Is this vulnerability likely to be internet-exposed?
All this information is crucial for determining the criticality of remediating a particular vulnerability, and a CVSS score and report from the NVD answer none of these questions.
Organizations should think about leveraging real-time solutions that use automation to track a culmination of sources to provide threat, exploit and vulnerability intelligence that answer the above questions.
BN: If you're talking about known threats, why can't teams get this information from public resources like the CISA KEV?
AB: The CISA KEV is undoubtedly a helpful and driving force in our industry, being branded as an authoritative catalog for vulnerabilities for many organizations, including the US federal civilian executive branch and private companies.
However, after a year-long analysis of the CISA KEV, we found that it was missing major vulnerabilities. Our research showed 42 actively exploited vulnerabilities assigned CVEs in 2022 that have not been added to the CISA KEV.
As long as it's missing actively exploited vulnerabilities, it cannot be treated as the only source of exploited vulnerabilities. Excluding any exploited-in-the-wild vulnerability is problematic with potentially far-reaching effects. Our research underscores the need to seek out additional sources or information from new resources and software with a more comprehensive dataset.
Image credit: billiondigital/depositphotos.com