The age of AI is no time to be getting behind on alerts. But the old system of prioritizing patches based on CVSS scores alone is outmoded and ineffective.
Fortra brings AI into the patch prioritization arena, enhancing traditional CVSS scoring with ML models that determine how likely that a vulnerability is to get exploited in a real-world scenario. Then, reconfiguring priorities from there. This allows teams to get to first things first.
Here’s the how and why.
How We’re Used to Prioritizing Patches
The Common Vulnerability Scoring System (CVSS) is the tried-and-true method used by nearly all practitioners to provide some order to the vulnerability backlog. A zero stays on the back burner, a ten gets top attention: period.
However, the problem with that method is that you could have a level 10 CVSS score on a useless asset or on a vulnerability with a very low likelihood of being exploited. While it feels nice to cross those tens off the list, a closer look could reveal that they were not the most urgent threats after all.
And that’s where additional context comes in, provided by AI – and recommended by NIST.
What NIST Says About It
When it comes to threat prioritization, NIST recommends a risk-based approach that considers a range of critical angles. Their Guide to Enterprise Patch Management Planning (SP 800-400 Rev. 4) advocates for:
Hardening Software: Principle of least privilege, using managed services instead of software when possible.
Assessing Technical and Security Details: Like who owns it, whether its managed by endpoint software, its network connectivity, existing security controls, and more.
Evaluating Mission-Critical Characteristics: Regulations governing how soon its vulnerabilities should be addressed, who can patch it, and the asset’s importance to the business.
They state that “Organizations should utilize their existing low-level metrics to develop enterprise-level metrics that reflect the relative importance of each vulnerability.” The low-level metrics they mentioned included CVSS scores.
As with most mature patch management programs, CVSS scores are just one piece of the pie. The rest comes from additional context, which requires additional visibility.
The Prerequisite: 24/7 Visibility
AI and ML systems can provide valuable context to flat CVSS scores and alerts, corroborating them with additional telemetry and drawing richer conclusions. However, for this kind of threat correlation to occur, these tools require 24/7 visibility into your environment.
Cyber threats don’t sleep. AI and ML tools require threat intelligence generated from the continuous monitoring of all threat ingestion tools, including XDR, EDR, email security, and more. Miss a few hours and you miss critical threat data that could be used to:
Spot suspicious anomalies
Analyze threat patterns in real-time
Correlate seemingly unrelated events
Without these additional data points, teams are left with gaps in their telemetry, creating blind spots for attackers to exploit.
Putting the Nail in the CVSS-Only Coffin
Not only are these additional pieces of context nice; they’re now necessary. Public and professional opinion has swayed on the issues of CVEs and CVSS scores, with notable publications challenging the value of these traditional metrics.
As cited in The Register, recent academic research argues that “CVEs should not be taken as a proxy for the real-world impact of claimed vulnerabilities.” Daniel Stenberg, creator of the popular command-line tool curl, succinctly concludes, “CVSS is meant to give a base score, and then everyone should apply their own environment and risk judgement on top.”
Turning CVEs and Telemetry into Threat Intelligence
If organizations are going to apply “their own risk judgement on top,” then that risk judgement needs to be founded on the whole story. That means keeping CVEs and CVSS scores, enhancing it with 24/7 internal telemetry, and using AI-driven solutions to turn it into usable, actionable threat intelligence.
In other words, turning threat data into threat intelligence. Here’s how Fortra does it.
Fortra enhances traditional CVSS scoring with ML models that assess real-world vulnerability exploitability. Our system ingests CVEs, network configurations, exploit availability, and telemetry to determine exploitation likelihood—prioritizing patches more effectively.
Fortra Managed XDR provides 24/7 visibility across cloud and hybrid environments, allowing for the detection of potential infrastructure misuse before it escalates. Continuous monitoring encompasses the entire attack surface, from IAM policies to network pattern anomalies, abnormal model and data activity, and more.
CVSS scores are an integral part of the puzzle, but without unifying AI-driven solutions like Fortra XDR, they will never offer the multi-point assessment needed to correctly prioritize threats. Much less, patch first things first.
Your Guide to Secure AI Innovation
Data is the lifeblood of AI. Without secure, high-quality data, AI systems become vulnerabilities rather than advantages.
