We're seeing an interesting phenomenon where people want a simple, one-size-fits-all fix to assign prioritization to vulnerabilities, but it’s just not possible. Understanding the “why” is key to understanding the “what”: what teams have to do about it, and how that relates directly to whether your organization will get the hang of properly prioritizing what needs to be addressed.
When you understand that, you’ll know why private vulnerability management is just selling you what you already have.
The CVSS Score: Why It Went So Wrong
Too many people are still searching in the dark for a patching strategy and relying solely on factors like the CVSS score.
When the CVSS system came out, it was great. For the first time, information security teams had a standardized impact rating, refining the traditional low, medium, and high scoring. This told us how severe the vulnerabilities were based on external objective metrics, helping to factor risk and impact into our remediation decision-making processes.
However, in the early 2010s you had a lot of customers saying, “We need CVSS scores. We need to be able to prioritize based on them.” But that was never really the point, as it was only meant to inform an already educated opinion. CVSS doesn’t consider your business logic or environment, and in particular, an attacker’s intent.
CVSS scores lead to too many knee-jerk reactions to patch immediately; instead, prioritize your fixes by exposure rather than severity. Ask whether the vulnerable service is even reachable from the public internet and whether there is any evidence of active exploitation in the wild. CVSS doesn’t answer these questions. Your asset inventory and threat intel should.
And that’s evolved, or devolved, into the kinds of misconceptions surrounding vulnerability management today.
Prioritizing Patches: The Low Maturity to High Maturity Way
Organizations with low security maturity often rely solely on CVSS scores and maybe bring in EPSS (Exploit Prediction Scoring System), which also should be part of the mix. Also consider combining CISA’s KEV (Known Exploited Vulnerabilities Catalogue) and public write-ups, as well as items included in exploit frameworks.
Most importantly, understand what your company’s crown jewels are, where they are, and which vulnerabilities are going to present the most risk.
As much as we all want an algorithm to define our risks, identify our threats, and tell us what to do, it’s more nuanced and more organization-specific than any single algorithm can provide. This is where and why you sit down with your board, finance team, and other stakeholders to learn what is business critical. These discoveries inform your strategy, which combines all of the available vulnerability management information with the information you gathered.
The result is a holistic understanding of the businesses’ priorities, and what yours should be in terms of mitigation and remediation. This becomes a list of priorities, regardless of CVSS scores.
Understanding and balancing business imperatives with security demands is really the art of vulnerability management, and where vulnerability intelligence comes in, a component of threat intelligence.
Buying threat intelligence in today’s cyber landscape is useful; buying vulnerability intelligence is not. Anyone that says you need to buy it from private sources to really gain the jump on the situation is selling fear, uncertainty, and doubt.
The best, industry-standard ways of getting vulnerability intelligence information are already free, so you should never have to pay for it. A decent vulnerability management platform should already have this intelligence built-in. No external system will be able to tell you what is critical to (and for) your organization.
All these considerations contribute to mature decision making based on real risk to the company, and are all made using vulnerability intelligence you don’t have to buy; all you have to do is put it all together.
This is essentially what vulnerability intelligence sellers do, so if you’re really in a position where time is more valuable than money, go ahead. Just do it with your eyes wide open.
Nothing Beats Experience
The best advice I can give is to consider working with someone who’s been working with vulnerabilities day in and day out, every day for ten plus years.
Their knowledge is going to be the best when it comes to knowing the severity of an issue, when it needs to be patched, and what’s at stake, and when public vulnerability intelligence is enough.
Fortra Intelligence and Research Experts
The FIRE team operationalizes threat intelligence to detect, disrupt, and deter adversaries.
