Too Many Vulnerabilities, Too Little Time

For environments of any meaningful size, the volume of vulnerabilities exceeds the capacity to address them cost-effectively, and remediation efforts are often disruptive to business operations.

• Research Insights:

  • According to first.org, most organizations manage to fix only 5% to 20% of known vulnerabilities per month.

  • Only a small subset, about 2-7% of all published vulnerabilities, are ever exploited in real-world scenarios.

Efficiency in vulnerability management involves:

• Maximizing the percentage of vulnerabilities remediated that are actually being exploited.

• Minimizing the number of vulnerabilities fixed that never get exploited.

The core issue isn’t the sheer number of vulnerabilities but knowing which ones are meaningful to your specific environment and optimizing remediation efforts accordingly.

CVSS is Not a Risk Rating Methodology

Many organizations rely heavily on the Common Vulnerability Scoring System (CVSS). While CVSS is a standardized framework to rate the severity of security vulnerabilities in software and is commonly used in vulnerability management systems, it has significant limitations:

• Generic Criteria: CVSS scores are based on generic criteria that may not reflect the unique context of your business environment.

• Lack of Context: Even with temporal and environmental metrics, CVSS does not account for:

  • The types of data the system processes.

  • How the software is used.

  • The consequences of a successful attack.

Conclusion: Relying solely on CVSS scores is insufficient for a proper risk assessment, which is essential for driving remediation efficiency.

Measuring Exploitability with EPSS

Focusing on vulnerabilities that are actively being exploited is key to achieving efficiency. However, most organizations lack the capability to assess exploitability on their own. Incorporating the Exploit Prediction Scoring System (EPSS) can bridge this gap:

• What is EPSS?

  • A community-driven effort that combines descriptive information about CVEs with evidence of actual exploitation in-the-wild.

  • Predicts the likelihood of a vulnerability being exploited by malicious actors.

• How EPSS Works:

  • Produces a probability score between 0 and 1 (0% to 100%).

  • A higher score indicates a greater probability of exploitation within the next 30 days.

Benefits of EPSS:

• Provides additional context and intelligence.

• Helps prioritize vulnerabilities based on their likelihood of being exploited.

• Enhances the effectiveness of remediation efforts.

Improving Vulnerability Management Efficiency

Enhancing your risk rating methodology by supplementing CVSS scores with EPSS scores is a significant improvement. Additionally, organizations can implement the following strategies to achieve a more accurate set of vulnerabilities to remediate:

• Usage Matters:

  • Focus on vulnerabilities in artifacts that are actually in use (e.g., software packages, VM images, container images).

• Declutter:

  • Regularly remove old or unused artifacts from storage.

  • Reduces storage costs and prevents accidental use of outdated versions.

• Gauge Exposure:

  • Prioritize vulnerabilities in workloads with broad network exposure.

  • Don’t completely deprioritize issues that are only exposed internally.

• Understand Exploitability:

  • Factor in the likelihood of exploitation using supplemental scoring systems like EPSS.

  • Prioritize vulnerabilities being exploited in the wild.

• Add Context:

  • Consider the purpose and behavior of the environment where the vulnerable software is deployed.

  • Assess whether the software is used in production systems handling sensitive data or in development systems with minimal data.

• Adopt an Efficiency Mindset:

  • Utilize tools, methodologies, and processes that enhance the speed and accuracy of prioritization.

  • Efficient remediation efforts reduce risk, save money, and lower human toil.

Conclusion

While CVSS is widely adopted as the de-facto starting point for vulnerability management, it lacks the necessary context for effective risk calculations, leading to wasted resources on remediating the wrong issues. By adopting an efficiency-focused approach and integrating tools like EPSS, organizations can:

• Direct efforts towards vulnerabilities that matter most in their specific environments.

• Maximize the positive impact on their risk posture.

• Navigate the complexities of vulnerability management with greater precision and effectiveness.

References:

1. CVSS Struggles in Cloud-Native Computing

2. Why Common Vulnerability Scoring Systems Suck

3. SEI Insights on CVSS

4. EPSS Model by FIRST

Editor's Note: This blog was originally published on October 25, 2023, and has been updated for accuracy and completeness.