CISO's Dilemma: Why Focusing on High and Critical CVSS Is an Inefficient Effort for their team

By Vinyl Shetty  

"Picture this – you're the CISO, the guardian of your organisation's digital fortress, the Head of Cyber Security. Your days are a relentless struggle to keep up with the ever-mounting threats. Your Senior Security Manager, a dedicated but overwhelmed individual, approaches you one day with a heavy burden to bear.

"In addition to the 25+ security tools that my team manages," they confess, "we've combed through our sprawling digital landscape. Across 179 applications, 10,000+ endpoints, 1,000+ servers, and 400 databases, we've unearthed a staggering 7,000 vulnerabilities. Despite our diligent, periodic technical vulnerability mitigation approach, we're faced with an impossible question: How should we optimally prioritise our efforts to ward off the looming cyber threats, especially when our resources are painfully limited?"

As the ultimate authority, you're tempted to utter the industry-worn advice: "Focus on Medium and High vulnerabilities based on the CVSS score." After all, the Common Vulnerability Scoring System (CVSS) has been the trusty lighthouse guiding your ship since 2005.

But hold on a moment. The CVSS, once a beacon in the storm, now feels somewhat outdated in this ever-shifting threat landscape. For the uninitiated, CVSS scores range from 0 to 10, with higher scores indicating more severe vulnerabilities, neatly categorised as Low, Medium, High, and Critical.

However, in today's cybersecurity arena, the CVSS seems to play a cruel joke. a)Over 60% of vulnerabilities in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) wear the high or critical badge. With such a deluge, it's impossible to distinguish the truly menacing from the mere shadows.

b) For instance, consider CVE-2017-0144, which inflicted a colossal $10 billion in ransomware damages worldwide. It bears a CVSS v2 rating of 9.3 and a CVSS v3 rating of 8.1. Yet, other vulnerabilities boasting a perfect CVSS 10 haven't seen a single exploitation. The enigma deepens.

c) Is it wiser to tackle 150 High CVEs, or perhaps prfioritize 2 Critical ones? What if a seemingly harmless Low CVE teams up with a Medium sibling to create a disaster scenario?

For instance, imagine 10,000 instances of CVE-2017-8283 in Ubuntu VMs versus one instance of CVE-2021-44228, aka log4shell, in a Java-based web application. The first seems daunting but would tempt your team to address first as it is impacting most assets , but if the team continues to this path , they going in a massive scope of work of activity which will be a rabbit hole as this vulnerability cannot be exploited if Ubuntu in your organisation has been purposefully modified, yet the second which affected only one webserver with critical data , if exploited can actually bring your entire enterprise to its knees and bring end to the business

d) Even if you diligently patch all the high and critical vulnerabilities per CVSS, 18% of vulnerabilities with known exploits remain unaddressed. CVSS, once the guiding star, now feels insufficient to navigate the storm of new vulnerabilities flooding the NVD databases.

As a CISO, it's time to seek alternatives. Ask your vulnerability assessment report provider to go beyond CVSS scores and the following metrics to each vulnerability highlighted

a) Known Exploited Vulnerabilities (KEV) In November 2021, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) introduced a new category: Known Exploited Vulnerabilities (KEV). For CVEs with verified "active exploitation or attempted exploitation," these are flagged to guide enterprises in their mitigation efforts.

b)The Exploit Prediction Scoring System (EPSS), published by FIRST in 2019, offers another promising path. It analyzes over 6 million observed exploitation attempts, incorporating data from threat intelligence providers, CISA's KEV catalog, and various vulnerability characteristics.

The results are nothing short of astonishing. If you cling to the old "fix all high and critical" strategy, you'll be drowning in the sheer volume. But adopting EPSS with a modest threshold can reduce your workload by 87.5%, freeing your overburdened staff. Let me prove this to you.

EPSS score takes in account of following :

a) Detected exploitation activity in the wild from reputed security vendors

b) Public mention of exploitation like The Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog, Google’s Project Zero, Trend Micro’s Zero Day Initiative (ZDI)

c) Publicly available exploit code by querying github, exploit-DB ,Metasploit

d)Open source security tools intelligence

e)Social media mentions

f) References with labels

g)Keyword description of vulnerability

h)Common Weakness Enumeration (CWE)

i) Vendor labels

j) Age of vulnerability

Its output is a number from 0 to 1 for every published CVE, indicating the likelihood of exploitation in the next 30 days. The score updates daily as new data emerges.

The results are impressive, to say the least. Using a traditional “fix all high and critical” (per CVSS) strategy, you would need to patch the majority of known issues (because most are high are critical). And in doing so, you will fix ~82% of CVEs ever exploited (per the EPSS, not KEV data set).

Compare that approach to using the EPSS v3 with a threshold score of 0.088 (remediating all issues that score higher than this rating). To achieve roughly the same outcome with EPSS, you will only need to resolve 7.3% of all known CVEs.

This is only ~12.5% of the fraction necessary when using CVSS.

Now, Imagine with this approach , you increased the efficiency of effort by 100-12.5 = 87.5% of your overworked staff who are already managing umpteen security tools and thousand other security issues for your organisation. They will thank you for being their saviour.

To make it even more precise, some vendors offer reachability analysis. They can identify which vulnerabilities, while theoretically reachable, are challenging to exploit due to various reasons. Conversely, they uncover the lurking threats that are deceptively simple to exploit.

Imagine this new approach, where you boost your efficiency by 87.5%, empowering your staff to tackle countless other security issues. In conclusion, focusing solely on CVSS High and Critical may no longer suffice in the age of information warfare. Are you ready to explore this new frontier in vulnerability management?" with the best part being EPSS score and CISA KEV being a free resource available to all organisations.