Search

Share

Why CVSS Just Isn’t Enough

Pandemic Causes Enterprises to Pivot from Common Vulnerability Scoring System (CVSS)

When COVID-19 shook up the world in 2020, in-person buying opportunities evaporated. If “non-essential” organizations were going to sell or provide services, they would need to do so digitally. Across the world, companies that were forced into rapidly expanding their online presence soon found that CVSS wasn’t enough to adequately address the corresponding increase in vulnerabilities.

“As lockdowns became the new normal, businesses and consumers “went digital”, providing and purchasing more goods and services online, raising e-commerce’s share of global retail trade from 14% in 2019 to about 17% in 2020. (COVID-19 and e-commerce: a global review, UNCTAD 2021)

“Either it should be made be made clear that CVSS reflects severity, not risk, or CVSS must be adjusted to make it reflect risk so users of CVSS can make more informed decisions.” (Towards Improving CVSS, Carnegie Melon (2021))

Rapid Online Expansion Creates a Hacker’s Paradise

Attack surfaces rapidly expanded before InfoSec teams could implement new processes to keep their cyber-stack secure. Organizations scrambled to increase their online presence, but budgets had already been established for the year. It wasn’t until the following year – when world governments made a push to strengthen cybersecurity processes – that more funds could be allocated.

Pre-Allocated Budget Meant the Vulnerability Management Program Could Not Adapt

With capped annual Vulnerability Management security budgets, many cyber teams got tied to dated and unscalable processes. Expanded APIs, larger attack surfaces, and new vulnerabilities compounded the issue. What emerged was a fundamentally new problem facing the Enterprise’s Vulnerability Management Program.

Answering the Basic Question: Does it Matter?

The question that Cyber FTEs need to answer is simple: what is critical to my organization?

Organizations need to know what a given vulnerability means for their organization specifically. The tool typically used to answer this question is the CVSS standard scoring. Even post-pandemic, many teams across the globe continue to rely on CVSS scoring alone, and therein lies the problem. They’re still not getting an accurate depiction of what is happening in their cyber-stack.

CVSS is Not Enough for an Effective Vulnerability Management Program

Before the creation of CVSS, vendors across the globe used various systems for critical vulnerability management metrics. However, it was almost impossible to find a correlation between the different platforms used.

CVSS was created to solve this problem by establishing a standard risk presumption across organizations that could be tracked uniformly. CVSS scoring is a fantastic tool for assessing generic, non-specific base, temporal and environmental metrics of vulnerability severity.

CVSS’s Fundamental Problem: It’s a Static Scoring System

Organizations need more than a snapshot of their risk posture. Without context, there’s no sure way to understand the specific impact of vulnerabilities.

For example, unpatched vulnerabilities with a CVSS score of 4.0 or higher generally have an unfavourable impact on PCI compliance. However, that same vulnerability won’t pose nearly the same risk to a healthcare organization navigating HIPPA compliance regulations.

So what is the solution? The answer is risk-based data.

Organizations need to know how a vulnerability will affect their particular organization if it’s not remediated or patched promptly. Risk-based data provides context and narrative surrounding vulnerabilities when based on the intricacies of the organization.

Organizational context is a defining factor in:

  • determining what a vulnerability truly means to a company
  • allowing for effective prioritization and  optimized workflow for Cyber FTEs
  • ensuring that organizations are focused on what matters.

Taking the First Step Away from CVSS

Accurate Risk-Based data informing the Vulnerability Management Program is the first step to securing an organization’s cyber-stack. As Gartner puts it

“Security and risk leaders should tie vulnerability management practices to their organization’s specific needs, not a mythical standard.” (Gartner, How to Set Practical Time Frames to Remedy Security Vulnerabilities, June 23, 2021)

Context is King

CVSS is great at what it does (and solves the problem that it was intended to fix). However, an optimized Vulnerability Management Program does not represent reliable risk-based data on its own.

  • Get the most accurate depiction of what is happening within your cyber stack.
  • Find a tool and/or vendor that gives you actionable risk-based data.
  • Ensure that your data alerts provide context, narrative, and a story behind the vulnerabilities that come across your desk.

Good hunting ladies and gentlemen.

Learn more about leveraging risk-based intelligence for your Vulnerability Management Program.