Risk-Based Vulnerability Intelligence Does What CVSS Can’t
June 15, 2021 • The Recorded Future Team
Digital transformation initiatives have become a common way for organizations to not only increase business agility, but also to adapt quickly to market changes, environmental forces, and business priorities. Responses to COVID-19, for example, have massively accelerated the adoption of digital technologies by several years.
This shift toward digital transformation only increases the attack surface and the number of vulnerabilities your organization is exposed to, which threat actors are quick to exploit. There’s no disputing that unpatched vulnerabilities make systems easy prey. Any yet, failure to patch remains a major problem. Industry research, for example, reveals that 60% of breaches were linked to a vulnerability where a patch was available but not applied, up from 57% the prior year. Further, an analysis of 2,013 data breaches shows that more than half (52%) involved some form of hacking. Of the most prominent hacking variety and vector combinations, ‘vulnerability exploitation’ made the top three.
With new vulnerabilities being discovered in increasing velocity and volume, scanning tools are returning hundreds, if not thousands–or tens of thousands–of vulnerabilities. It goes without saying that the prospect of quickly remediating every vulnerability identified by a scan is unfeasible. Overwhelmed and already stretched too thin to fix each one, most vulnerability management teams simply prioritize patching based on the CVSS severity levels.
CVSS is Not Enough
Leveraging CVSS scores to prioritize vulnerabilities makes sense on the surface, but there are serious issues with the rating scheme as the CVSS was never meant to be used on its own for prioritization. Beyond blurring the distinction between practical and theoretical risk, shortcomings of the CVSS scoring system include:
- Focus on exploitability versus exploitation
- Lack of timeliness/delay in reporting
- Static base scores
- Assumption of widespread exploitation
- Failure to consider relationships between vulnerabilities
- Lack of critical business context
Prioritize Patching with Risk-Based Vulnerability Intelligence
CVSS scores can provide a starting point for evaluating how bad a particular vulnerability is. It’s important to keep in mind, however, that CVSS was never meant to measure risk to a certain organization; it was meant to measure the technical severity of the vulnerability. While the familiar 0-10 scoring format has served well in the past, it no longer reflects the way modern networks and applications are built, maintained, and attacked.
Prioritizing patching using CVSS alone is insufficient because it doesn’t take into account whether a vulnerability is being exploited in the wild. Nor does it understand if the vulnerability is on a business-critical service or system. Relying exclusively on the CVSS score leads to more resources being spent on ‘critical’ vulnerabilities–and less ability to effectively prioritize the highest risk vulnerabilities. What’s needed is a new system that incorporates risk-focused contextual information specific to your environment to show you where your business is most at risk.
That’s where risk-based vulnerability intelligence comes into play.
Risk-based vulnerability intelligence should not simply provide more information in the form of scores and statistics, but rather a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. By combining your company’s internal asset criticality and internal vulnerability scanning data with external intelligence from various sources, IT security teams can assess the true risk of a vulnerability to the organization and strike the correct balance between patching vulnerable systems and interrupting business operations.
The Business Benefits of Vulnerability Intelligence
Implementing vulnerability intelligence into company workflows doesn’t just help identify zero-days; it radically shifts the way vulnerability management programs operate. By leveraging vulnerability intelligence and moving to a risk-based approach to vulnerability management, organizations can:
- Reduce the most possible risk by prioritizing patching based on threat severity.
- Minimize expensive off-cycle patches.
- Justify patching decisions with transparent evidence.
- Improve team efficiency and simplify workflows.
- Maximize the investment in existing security tools.
Are you ready to defend your organization by prioritizing the vulnerabilities that represent real risk to your business? Read our white paper, Patch What Matters with Risk-Based Vulnerability Management, and learn more about the benefits of leveraging vulnerability intelligence.
 Ponemon Institute, LLC, Costs and Consequences of Gaps in Vulnerability Response, April 2018.
 Verizon Enterprise Solutions, 2020 Data Breach Investigations Report, May 2019.