2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

“CISO’s Dilemma: Why Focusing on ‘High and Critical CVSS’ Is an Inefficient Effort for their team”

“CISO’s Dilemma: Why Focusing on ‘High and Critical CVSS’ Is an Inefficient Effort for their team”>
VAR India – Deepak Sahu
The CISO (Chief Information Security Officer) is faced with the challenge of prioritizing efforts to address numerous vulnerabilities in their organization’s digital infrastructure.
The traditional approach of focusing on vulnerabilities with high and critical CVSS (Common Vulnerability Scoring System) scores is no longer effective due to the overwhelming number of such vulnerabilities and the lack of correlation between CVSS scores and actual exploitation.
Additionally, even if high and critical vulnerabilities are patched, a significant percentage of vulnerabilities with known exploits remain unaddressed.
The CISO is advised to seek alternatives to CVSS and consider additional metrics when assessing vulnerabilities.
One such metric is the Known Exploited Vulnerabilities (KEV) category introduced by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
KEV flags vulnerabilities with active or attempted exploitation.
Another promising approach is the Exploit Prediction Scoring System (EPSS), which analyzes observed exploitation attempts, threat intelligence data, vulnerability characteristics, publicly available exploit code, and more.
Implementing EPSS with a modest threshold score can significantly reduce the workload by identifying vulnerabilities with a higher likelihood of exploitation in the next 30 days.
By using EPSS, only a fraction of known vulnerabilities needs to be resolved compared to the traditional “fix all high and critical” approach based on CVSS scores.
This approach can result in an 87.5% increase in efficiency and allow the security team to focus on other security issues.
Furthermore, vendors may offer reachability analysis, which helps identify vulnerabilities that may be theoretically reachable but challenging to exploit or vulnerabilities that are deceptively simple to exploit.
In conclusion, relying solely on CVSS High and Critical scores may not be sufficient in today’s threat landscape.
Exploring alternatives like EPSS and utilizing resources like CISA’s KEV can improve vulnerability management and allocation of resources.
Link: https://varindia.com/news/cisos-dilemma-why-focusing-on-high-and-critical-cvss-is-an-inefficient-effort-for-their-team

Categories:

Tags: