Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Why You Need to Stop Using CVSS for Vulnerability Prioritization

Most cybersecurity teams rely on the Common Vulnerability Scoring System (CVSS) to prioritize their vulnerability remediation efforts. But, they fail to realize that CVSS is an outdated, ineffective method that causes them to waste the majority of their valuable time on vulnerabilities that pose little to no risk. Here’s what to do instead.

For the past 20 years, security professionals have conducted scans of their business networks to find the vulnerabilities located throughout their IT infrastructures. The scans have been pretty effective at finding these vulns. But, the problem is they discover more vulnerabilities than they can actually handle – and new vulns are discovered more quickly than IT can remediate them. Since they know they’ll never be able to fix everything, the teams end up having to prioritize which vulns to remediate first.

CVSS is failing you

The most common method used for prioritizing remediation efforts is to employ the Common Vulnerability Scoring System (CVSS), an industry standard for assessing the severity of cybersecurity vulnerabilities. CVSS assigns a severity rating between zero and 10, with 10 being the most severe. The score is based on how easily the vulnerability can be exploited and the level of impact if a successful exploit were to occur.

This is all based on the fact that CVSS was never actually intended to be used for prioritization. Instead, it was developed simply to give a sense of each vuln’s severity. But, as organizations faced greater and greater numbers of vulns, they had the overwhelming need to prioritize. And, since there was nothing (at the time) to do that, they latched on to CVSS as at least something they could use. But, since it was never intended to be used in this way, the model doesn’t work particularly well for this purpose, and quickly falls apart.

A theoretical vs actual view of risk

The problem with using CVSS to prioritize remediation efforts stems from the fact that the CVSS base score is typically assigned within two weeks of the vulnerability being discovered – and almost never revisited following that initial assessment – and is therefore limited to a theoretical view of the risk a vulnerability could potentially introduce, rather than an understanding of the actual threat landscape. 

As a result, according to Tenable Research, 56% of all vulnerabilities are scored as High (CVSS score of 7.0–8.9) or Critical (CVSS score of 9.0–10.0), regardless of whether they are likely to ever be exploited. And, since more than 75% of all vulnerabilities with a score of 7 or above have never had an exploit published against them, security teams using CVSS to prioritize their efforts are wasting the majority of their time chasing after the wrong issues.

CVSS base scores

CVSS scores do not reflect the current threat landscape

Also, since CVSS base scores are static, the score remains exactly the same for years, regardless of changes in the threat landscape. That means that if a vulnerability was initially assigned a base score of 6.0, even if 90 days later it’s successfully exploited in the wild, and even becomes a prolifically exploited vulnerability that leads to billions of dollars in data exfiltration, the CVSS score will remain at the initial 6.0 score.

Conversely, vulnerabilities that receive a low CVSS score will be ignored by teams who are only looking at those with a CVSS score of 7 and above, potentially leaving dangerous vulnerabilities in their environment. In fact, according to Tenable Research, there are nearly as many vulnerabilities with exploit code available that have a CVSS base score between 4 and 6 as there are with a CVSS base score of 7 and above – yet, by policy, those using a CVSS 7+ strategy would ignore these lower-scored vulns, therefore missing many of the most critical vulnerabilities that pose the greatest risk to their business. Consider the example given above with the billions of dollars in data exfiltration. Since the vulnerability was assigned a CVSS base score of 6.0, few organizations would have ever even looked at that vulnerability to assess it for themselves, allowing themselves to fall prey to the cyberattacks that we’d only know in retrospect – after the damage is done. 

CVSS creates a false sense of security

The bottom line is, CVSS has been the industry standard for so long that many security professionals believe it’s the best, if not only, way to prioritize their vulnerability remediation efforts. But, considering the many downfalls of CVSS, it’s easy to see that CVSS is an outdated, ineffective method.

A better way: The need for risk-based vulnerability management

To be effective, security teams need to understand vulnerabilities in the context of business risk, and then use that data to prioritize their remediation efforts. By taking a risk-based approach to vulnerability management, security teams can focus on the vulnerabilities and assets that matter most, so they can address the organization’s true business risk instead of wasting their valuable time on vulnerabilities that have a low likelihood of being exploited. To truly understand the full context of each vulnerability, and therefore make the best decisions, security teams need to correlate the following security data:

  • Dozens of essential characteristics of the vulnerability, including the age of the vuln, its potential for harm, the degree to which it’s exploitable and how frequently we’re seeing the threat
  • An assessment of current and predicted future attacker activity
  • Threat and exploit intelligence from multiple sources
  • An assessment of how important the affected asset is to the organization

Of course, parsing through all this data can’t be accomplished by a human being – or even a team of human beings – so automating its correlation and analysis using machine learning algorithms is absolutely essential. Not only is machine learning more accurate, but within seconds, it can effectively deliver a vulnerability priority rating (VPR) for every one of the organization’s vulnerabilities based on the risk each poses to the business.

Taking a risk-based approach to vulnerability management is a far more effective solution because it enables security teams to focus on what matters most – so they can make the biggest impact on risk with the least amount of effort.

To learn more about how risk-based vulnerability management can help you focus your remediation efforts on the vulnerabilities and assets that matter most, visit: https://www.tenable.com/solutions/risk-based-vulnerability-management

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.