The NIST/NVD situation and vulnerability management programs
In the infosec world we continually preach about “defense in depth,” or layered security. The idea is that if a defensive measure at one layer fails, there are additional layers behind it that serve as a safety net. An interesting application of these concepts comes in examining the data feeds that provide information to our security tools. If one of the feeds goes down, will our security tooling continue to work as expected?
This recently came to light when the National Institute of Standards and Technology (NIST) announced that it cannot keep up with the number of software bugs being submitted to the National Vulnerability Database (NVD). According to NIST itself, it has only analyzed roughly one-third of the Common Vulnerabilities and Exposures (CVEs) submitted this year. Since many organizations rely on NVD information in their vulnerability management programs, this is distressing news. For organizations in this situation, the question then becomes: How do we minimize the impact of the NIST backlog?
Making Vulnerability Management Redundant
The answer to this question lies in redundancy. According to NIST, the NVD only includes vulnerabilities that have been published on the CVE list, and it ingests the list every hour to keep up to date with the changing threat landscape. Historically, the NVD has used the Common Vulnerability Scoring System (CVSS) scoring system to rate the severity of vulnerabilities submitted to the CVE system. These scores are used by vulnerability management systems as a part of the risk and severity rankings of a given discovered vulnerability. If the CVSS scores are unavailable, then vulnerability management tools may be unable to compute an accurate severity, which in turn may lead to a decreased fidelity in remediation prioritization.
A key takeaway is that, regardless of whether NIST can keep up with the NVD, it is dangerous to rely solely on one data source. Effective vulnerability management programs must augment other sources of data. One way to do this is by confirming and testing vulnerability scanning tooling to ensure it has additional feeds and scoring capabilities for a minimal impact. For example, Tenable, Qualys and Rapid7 all use product feeds and have internal teams for scoring and research. This can fortify the use of the NVD and protect against its challenges.
Organizations can consider adding alternative scoring mechanisms to their operations, such as using the Exploit Prediction Scoring System (EPSS) along with alternative sources for CVSS scoring, such as those available from organizations like MITRE. Tracking issue and vulnerability feeds from individual software providers is an additional leading practice that should be incorporated.
The EPSS is maintained by the Forum of Incident Response and Security Teams (FIRST). It is a vulnerability scoring system that estimates the likelihood of a vulnerability being exploited in the wild. EPSS combines CVE and real-world exploit data to provide a threat assessment that practitioners can use to prioritize vulnerabilities. Many vulnerability scanning tools (e.g., Tenable, Qualys, Rapid7) and vulnerability aggregation tools (e.g., Brinqa, Nucleus Security) use EPSS or similar calculations to create a proprietary risk score.
Making Informed Response Decisions
While using NVD, EPSS and product feeds will not provide immunity from gaps in your vulnerability detection and scoring, it will significantly mitigate risk. Having multiple feeds of vulnerability data will provide the additional insights and context required to detect and prioritize threats, so the most dangerous vulnerabilities are responded to first. It will also ensure that vulnerability management programs stay resilient and strong even if one data source experiences challenges. This is the essence of redundancy for which every vulnerability management program should strive.
Image Credit: Tomasz Pacyna / Dreamstime.com
David Alkema is Senior Director of Vulnerability Management and Remediation, Optiv.