We all know the importance of vulnerability management in cyber-security. The pace with which the vulnerabilities are rising and their patches overwhelmed enterprises to deal with every loophole. Hence, enterprises tend to focus on flaws with high severity.
Many enterprises use a common vulnerability scoring system to prioritize the vulnerabilities. But the purpose of CVSS was not for prioritization. Instead, it was designed to give a sense of the severity of any vulnerability. When enterprises discovered many vulnerabilities, they needed prioritization. At that time, CVSS was the only way they could deal with huge pile of vulnerabilities. Hence, this method started falling apart because it was not meant for prioritization.
Why is CVSS falling apart?
Enterprises use CVSS for prioritizing vulnerabilities. This framework helps to evaluate the damage caused by the exploited vulnerability. These scores are assigned for vulnerabilities already in the National Vulnerability Database (NVD).
CVSS scores are assigned in no time. However, in some cases, it takes years to evaluate. For instance, In 2019, NVD included CVEs for 2,218 vulnerabilities that had yet to receive CVSS scores. Later, half of the vulnerabilities were assigned with CVSS scores within a day, while others took around 18 years to receive their scores.
Moreover, when CVSS scores are assigned, they are not regularly updated. Meaning, the scores assigned cannot correlate with the current probability of its exploitation. For instance, the NVD included CVE-2018-20250 vulnerability with a CVSS score of 6.8. It was a moderate severity level, yet it was the most exploited vulnerability in 2019 with a CVSS score of 10. Any enterprise relying solely on CVSS scores is at risk of being targeted by cyberattacks.
In addition to this, CVSS does not analyze the current threat landscape. Static CVSS scores will affect changing threat landscape. More precisely, if the initial CVSS score of vulnerability is 5.0, it will remain the same even after being exploited days later. Enterprises ignore even the low CVSS score, considering scores only above 7. It will lead to missing out on most critical vulnerabilities, posing a massive threat to the enterprises.
CVSS is failing because it builds a false sense of security in enterprises. Also, CVSS is considered an outdated way for prioritization. Hence, you need to evaluate and re-evaluate continuous vulnerabilities if you want effective prioritization. Also, you require comprehensive and real-time cyber threat intelligence to prioritize vulnerabilities beyond CVSS.
Risk-based Vulnerability management- An alternative along with CVSS
Risk-based vulnerability management assesses the exact risk levels, prioritizes the vulnerabilities, and mitigates them to reduce the probability of exploitation. According to Gartner’s analysis, enterprises using RBVM will suffer 80 per cent fewer breaches. To know about the need for RBVM and how to calculate risk levels of vulnerabilities, follow this link.
Now, let us understand how to hit the bullseye when choosing a risk-based vulnerability management tool.
When the exact risk levels are determined, the decision-making process on mitigation is also faster. The ideal risk-based vulnerability management tool is an all-rounder in all crucial functions. Multiple factors chip in to make it suitable for fighting risks in today’s environment. The main characteristics are:
Size of the vulnerability database
The effectiveness of a scanner lies in how many publicly disclosed flaws it can detect. If it does not have enough vulnerabilities in its database of research intelligence, you are in a situation of being attacked. A few security checks fail to identify all vulnerabilities and give you a false sense of security. Adding to this, CVEs are misleading and do not account for all the database vulnerabilities. It is good to opt for a large and comprehensive database with sufficient vulnerability details to overcome this. Hence, the vulnerability database should support all vulnerabilities irrespective of CVE data. Further, for a scanning tool to grab all the vulnerabilities, it needs to read from a large vulnerability database with research intelligence for almost all vulnerabilities disclosed until today.
Wide asset coverage
Some scanners support only one or a few platforms like Windows or Linux. To implement vulnerability scanners for all your devices, you will be forced to configure and maintain many other open-source scanners for your heterogeneous environment. You might think you are saving costs, but you lose a lot of time and resources to make upgrades and maintain custom code. Invest in a proper scanner that covers all your core assets (desktops, laptops, servers) in all the core platforms you use.
Advanced, customizable scanning techniques
Vulnerability scans should be under your control at all times. The bandwidth should be configurable along with the scope and asset groups of the scan. Advanced scanning techniques such as continuous vulnerability scans monitor your devices constantly for any signs of new vulnerabilities and report them to you immediately.
Automatic, predictive prioritization
The scanner should be smart enough to prioritize vulnerabilities for you. Also, not leave you with buttons and switches to manually mark priority levels and confuse your team even more. Prioritization based on exploit activity, availability, age, leverage to ransomware should be a default feature.
Integrated remediation controls
The point of scanning and prioritizing vulnerabilities is to mitigate them and run operations safely. Patching is the remediation measure to mitigate vulnerabilities. A vulnerability scanning and assessment tool should have integrated patching controls. The security industry should look at vulnerability management and patching as one integrated process. Having both in the same tool leads to smarter and faster remediation.
Handy and practical reporting
Since vulnerability scanning and assessment are security measures, security teams need to collaborate and demonstrate their goals to top management and between themselves. They are also a compliance requirement that requires security teams to generate reports for audits. Having easy and simple reporting features goes a long way to help security teams. Readily downloadable or e-mailable PDFs/CSVs and customizable report views add to the practicality of the tool.
The SanerNow’s way of prioritizing vulnerabilities
With SecPod SanerNow, you can smartly manage a huge pile of vulnerabilities by prioritizing them beyond CVSS.