Cisco: Patching bugs is about more than CVSS numbers
Cisco's Kenna Security advised enterprises to consider more than just CVSS scores and update advisories when deciding when and how to address security vulnerabilities.
Organizations should be paying more attention to the real-world attack potential of security vulnerabilities and less attention to threat scores when prioritizing out their patch rollouts.
That's according to team at Cisco's Kenna Security, which said in a new report that "exploitability" should factor into decision making when deciding when and how to address security vulnerabilities. The report, published Wednesday, was a joint effort between Kenna Security and the Cyentia Institute, a research and data science firm.
The security vendor noted a disparity between the volume of vulnerabilities that are disclosed (around 18,000 in 2021) and those that attackers actually scan for and attempt to exploit with automated scripts. This gives companies an opportunity to whittle down their patch loads and prioritize the bugs that are actually being attacked.
"The good news … is that we don't need to fret over them all because only about one-third of published CVEs are ever detected by a scanner in enterprise environments. And the proportion observed in your environment is ostensibly much less than that," the report, titled "Prioritization to Prediction," said. "So Step 1 in reducing the vulnerability firehose is to filter the flow down to just the assets you're managing."
In doing this, Kenna advised companies to consider factors other than traditional vulnerability security ratings. The report noted that Common Vulnerability Scoring System (CVSS) ratings in particular can mislead companies as to just how serious the threat from a given vulnerability might be.
Rather than simply trying to patch the flaws that have the highest CVSS scores, the company suggested administrators look to a variety of sources, including some unconventional ones, to figure out which bugs are being targeted and what the most serious threats to their networks are. For example, the report claimed that prioritizing vulnerabilities with publicly available exploit code is 11 times more effective than focusing on CVSS numbers.
"This is where the concept of 'exploitability' comes into play," Kenna said. "What's the likelihood that a given vulnerability will be exploited within a window of time?"
Addressing that exploitability -- the real-world risk that a given bug is actually going to be subject to attacks in the wild -- means looking to sites such as Twitter and gauging the amount of chatter around a bug or exploit.
Kenna Security argued that by combining those external sources with the traditional CVSS and the Common Vulnerabilities and Exposures (CVE) formats, administrators are better able to prevent real-world attacks. They can also spend less time chasing after bugs that, while seemingly serious, don't actually pose any sort of threat in the short term.
"Not everything has to be this or that; sometimes you actually can have your cake and eat it too," the report said. "An organization combining a good vulnerability prioritization strategy (exploit code) with high remediation capacity can achieve a 29X reduction in exploitability."
Overall, Kenna Security said focusing on high-risk vulnerabilities with only observed exploit code or activity leaves "just over 4% of published vulnerabilities that represent a real risk to organizations," which is a far cry from having to contend with 18,000 new CVEs every year.