Why Moving Beyond CVSS Scores is a Business Imperative

Organizations today find themselves at a critical turning point in the evolution of their vulnerability management efforts. New vulnerabilities are being published more quickly than teams can credibly analyze and remediate them (currently greater than 75 per day), while at the same time a serious talent shortage has developed. According to CyberSeek, the U.S. cybersecurity workforce has over 950,000 workers, with approximately 465,000 open positions.

For the past 20 years, the most common method used to prioritize vulnerability remediation efforts has been the Common Vulnerability Scoring System (CVSS). However, CVSS scores do not take into account the network, the users, or how lower-scored vulnerabilities are chained together into attack paths; so using CVSS is not an accurate (or even proximate) predictor of risk. Recent studies have shown that using CVSS scores to guide vulnerability prioritization efforts is little better than randomizing remediation.

Let’s explore the shortcomings of using only the CVSS score for risk prioritization and how modern vulnerability management moves beyond this scale to capture enhanced data and leverage automation.

The Problem with CVSS Scores

CVSS was never intended to be a comprehensive system for vulnerability management or prioritization, and relying on it solely to guide remediation efforts disregards important data points needed to effectively prioritize vulnerabilities. Where does the CVSS score fall short?

CVSS scores are network, user, and activity-agnostic.

A CVSS score does not take into account network access nor the user permissions and activity where the vulnerability exists. It is a vendor-supplied score meant to capture how “bad” the vulnerability is in a vacuum that does not capture the complex way modern networks and applications are built, maintained, and attacked.

CVSS offers a misleading distribution.

56% of all vulnerabilities are scored as “High” (corresponding to a CVSS score of 7.0–8.9) or “Critical” (CVSS score of 9.0–10.0), regardless of whether they are likely to ever be exploited. More than 75% of all vulnerabilities with a score greater than or equal to 7 have never had an exploit published against them. For this fact alone, teams using CVSS alone are wasting the majority of their time chasing after the wrong issues.

CVSS Scores do not evaluate the entire, evolving, threat landscape

Because CVSS base scores are static, the score remains exactly the same regardless of changes on the network or users' activity and permissions.

The Evolution of Automated Risk-Based Vulnerability Prioritization

Vulnerability scanners and threat feeds are great signal producers giving you a great place to start, but the next steps of checking environmental factors, testing for conditionality, and stringing together exploitable vulnerabilities in order to predict where an attacker could cause the most damage are needed to have a true predictor of risk.

Doing this work manually is incredibly time-consuming drudge work. There is a better way: automated, risk-based vulnerability analysis and prioritization. Such a system automates:

  • Collection of Signal from scanners and threat feeds
  • Collection of all the other needed Context
  • Vulnerability Analysis in context checking for Conditionality
  • Modeling vulnerability Chaining with pathways to assets
  • And finally, Prioritization by real risk

As a result, vulnerability management teams start their week with analyzed and prioritized vulnerabilities and will have much more credibility with IT teams as they will only be asking them to patch what matters.

CISOs can also more effectively report objective metrics about cybersecurity risk. CFOs and risk officers gain visibility into how their organization is creating a more secure, cost-effective, risk-based prioritization program that will save the company money.

*     *     *

By automating the vulnerability analysis in context and prioritizing based on organizational risk instead of relying on vendors’ CVSS (which was never meant to represent risk), weeks of labor are turned into minutes, a shift that translates into hundreds of thousands of dollars saved AND real risk reduced.

While vulnerability scanners and threat feeds offer great signals, automated systems allow you to see the full story and demonstrate the technical proof of security risk.

If you’re interested in seeing how DeepSurface has created an automated vulnerability management platform that can save organizations hundreds of thousands of dollars and better predict and remove risk, take a self-guided tour of the platform or get in touch with our team today.