Why is CVSS Not Enough for Prioritization?

Stop Relying on CVSS for Vulnerability Prioritization

Regardless of size, organizations are struggling with the volume of vulnerabilities and the complexity of vulnerability risk management. By 2025, 70% of mid-size enterprises that take a traditional, volume approach to vulnerability management will have been breached through a known vulnerability, according to Gartner. Here’s how to take a proactive approach to vulnerability prioritization and remediation.

Challenges of CVSS

As vulnerability management has matured as a process, a standardized taxonomy and language has evolved to satisfy the need for security professionals to formalize the way they describe and talk about vulnerabilities.  Growing out of this effort, CVE IDs and CVSS scores soon became the standard for classifying, managing, and remediating vulnerabilities. 

As a result, security tools have heavily focused on technical severity ratings and external threat intelligence to enrich vulnerability data enabling organizations to begin basic prioritization of remediation efforts.  By focusing on technical severity, organizations were prioritizing their remediation efforts by eliminating the most severe issues first.  While this provided a rudimentary framework for vulnerability remediation, numerous issues emerged as asset counts and data volumes dramatically increased.

Too Many Vulnerabilities, Not Enough Resources

Organizations lack the time, money and resources to address every identified issue and remediation efforts are held back by manual processes and a disconnected vulnerability remediation process that compromises their ability to respond in a timely manner. In light of these constraints, how can an organization effectively decide which issues need to be addressed first?

Do you know how many vulnerabilities pose an immediate threat to your environment? Try our new Vulnerability Risk Calculator.

Lack of Insight in Business Context

The CVSS model offers an incomplete picture as it focuses strictly on technical measures and does not consider critically important environmental variables.

CVSS lacks insight in the following ways:

  • Asset Criticality is overly simplistic
  • Only accounts for vendor-identified vulnerabilities
  • CVSS is poor at capturing emerging threats and temporal characteristics
    • Ex. This CVE has actively been exploited within the last 30 days

Therefore, the second challenge with the current state of vulnerability management is the encapsulation of business importance into the technical severity model.  The technical severity of exposures present on any given asset and the business importance of that asset are fundamentally different in a few distinct ways.

Security teams need to understand the business importance of devices as in independent component of business risk in order to effectively prioritize their remediation efforts.

CVSS Is Not Enough for Vulnerability Prioritization!

While CVSS has provided a rudimentary framework to help classify and prioritize vulnerability remediation, the industry has begun to recognize that these to aspect of vulnerability management were holding organizations back from truly impactful and proactive vulnerability remediation and management.

Under the CVSS model, vulnerability management teams risk focusing on trivial issues while leadership remains unable to understand where critical business services remain exposed.

The Value of Risk-Based Vulnerability Management

Organizations must be certain their security measures can effectively prevent critical infrastructure disruption. In order for enterprises to prevent data breaches, they must be able to accurately identify and remediate gaps in their security defenses.

Implementing a risk-based approach to vulnerability management can drastically reduce the probability of being breached.

Prioritization – The Key to Effective Vulnerability Management

NorthStar Navigator is the next evolution of vulnerability management. It widens visibility beyond traditional vulnerabilities to include additional critical aspects of risk management and remediation. With NorthStar, remediation efforts can be driven in ways that best reflect the available resources and risk appetite of the organization. 

NorthStar tackles the prioritization process along several fronts:

  1. Integrated Threat Intelligence – NorthStar has partnered with the leading threat intelligence provider to automatically enrich the vulnerability and asset data NorthStar already ingests.
  2. A new prioritization model that enables customers to manage their vulnerability prioritization process through an easy to understand and highly configurable rule-engine. These rules allow customers an even greater level of control over the prioritization process as asset, vulnerability, patching, threat intelligence, compensating controls and exception data is merged to form a cohesive, coherent, and transparent prioritization process. 
  3. Support for Compensating Controls and Exceptions – NorthStar’s prioritization model now incorporates data about compensating controls and exceptions to further allow for customers to refine their prioritization process. This additional support allows for customers to drive the severity and importance of a vulnerability, an asset, or a specific instance of a vulnerability on an asset according to set of predefined rules that are automatically applied.

The result of this new model is maximized effectiveness of remediation efforts by focusing organizations on the problems that really matter and providing clear, actionable paths to remediation and lower overall risk.

If you’re ready to learn more about how risk-based vulnerability management can help you focus your remediation efforts on the vulnerabilities and assets that matter most (and NOT CVSS scores), get in touch today for a free demo of NorthStar Navigator.