Please STOP with “fix all high and critical” CVEs.
It's a poor way to manage security risk.
Here's why:
- Only “about 5% of [all CVEs] represent real risk right now for most firms.”
Per Kenna Security (https://bit.ly/3dtHGvh).
- “In practice, most firms…use heuristic strategies to prioritize their remediation efforts; for example, a common approach is to remediate all vulnerabilities above a certain severity score. However, many of the common heuristics used by firms have been found to be sub-optimal…and in some cases, no better than randomly choosing vulnerabilities to remediate.”
According to an interesting study (https://bit.ly/3p02pgo) by Jay Jacobs, Sasha Romanosky, Idris Adjerid, and Wade Baker, PhD.
Similarly:
- The “PCI-DSS [v. 3] mandate requires that vulnerabilities scoring [CVSS] 4+ be patched, which is equivalent to an efficiency of random patching,” according to the same paper.
Frankly, this is WORSE than random, because it takes time for teams to score and then prioritize the results…when they could have just as easily run a random number generator or used alternating days/weeks to decide which issues to fix.
Finally:
- “While some research shows that a strategy of patching by CVSS score is no better than random…our results show that a strategy of patching CVSS score 9+ performs significantly better than random," per Jacobs, Romanosky, Adjerid, and Baker.
Thus, if you are going to continue to use CVSS for patching/remediation, it makes more sense to use a strategy targeting issues with CVSS 9+ (e.g. “criticals”), but this is still a far cry from the optimal path.
What are the alternatives?
1/ Technical investigation.
This is time-consuming, but having your developers confirm whether or not any impacted classes are affected - and if so, what the impacts might be - can give you a much clearer picture of the risk posed by a CVE.
2/ Use the Exploit Prediction Scoring System (EPSS).
This freely-available data set rates the "all other things equal" likelihood of exploitation for a range of CVEs. While much better than “fix all highs and criticals,” the EPSS still leaves some things to be desired.
3/ Buy a commercial tool to prioritize vulnerabilities.
Proprietary tools may have more or more recent data available and can better help you identify risks based on your business- or network-specific context. With that said, these generally only solve for likelihood of exploitation, not impact.
In any case, please STOP pursuing a strategy of fixing “all highs and criticals.” You are wasting valuable resources.
Let me know what I got wrong in the comments.
Top comments (4)
right, but while performing impact analysis on each CVE may require additional resources, it can ultimately lead to a more effective use of resources in the long term, by prioritizing the vulnerabilities that pose the greatest risk to the organization.
Hello, Do you know how that figure was established? While it's true you cannot skip the specific context of each organization, what is "real risk"?
It is likely that it came from research or a study conducted by Kenna Security. It is important to note that the 5% figure may not be universally applicable and may vary depending on the specific context of an organization.
When it comes to determining what constitutes "real risk" for an organization, it's important to take into account a variety of factors. These include the likelihood that a vulnerability will be exploited, the potential impact of a successful exploit, and the accessibility of the vulnerable system or software. Factors such as the company's infrastructure, industry, and size can also play a role in determining the real risk.
It's also important to note that "real risk" can vary depending on the specific context of each organization. Each company has different levels of risk acceptance, different systems and different vulnerabilities that can be exploited. Thus, a more thorough risk assessment process, taking into account the specific context of the organization is needed to determine which vulnerabilities pose a real risk to them.
Thanks for your answer, but that's precisely why I think such figures are not very meaningful if you want to prove a point.