news
September 22, 2022by Michael-Angelo Zummo

Basing vulnerability management solely on CVSS scores is risky business

Cybersixgill’s end-to-end Dynamic Vulnerability Exploitation takes a contextual, more accurate approach to vulnerability management and prioritization.

This year, back-to-school time coincides with increased cyberattacks against higher education institutions. A recent survey shows that more than 60 percent of colleges and universities experienced ransomware attacks in the past year, costing institutions millions.

One reason for the high number of ransomware attacks is the sheer number of common vulnerabilities and exposures (CVEs) colleges and universities have to monitor.

Since the Critical Vulnerability Scoring System (CVSS) was introduced in 1999, it has ranked more than 200,000 CVEs, with 50 new ones popping up daily. NIST manages the National Vulnerability Database (NVD) and regularly releases new threat alerts – but it’s a slow process.

Some use the CVSS score to indicate how dangerous the CVE is: the higher the score, the more dangerous the CVE. That prioritization process is inherently flawed: the CVSS score measures the estimated severity – but not risk – of exploitation. It’s also important to note that it takes a long time for a CVE to make its way into the database, so by the time it shows up in the NVD it may look very different in the wild.

Manually keeping up with new CVEs is like drinking out of a firehose, not to mention how difficult it is to prioritize which CVE should be patched first, without any context. It’s a fact that the newest CVEs aren’t necessarily the most dangerous to your organization, so newness is also a poor guide for prioritization. Sometimes an “ancient” CVE (that’s several years old on cyber time) experiences a boost in popularity when threat actors discover that a corresponding patch isn’t widely applied.

Cybersixgill’s end-to-end Dynamic Vulnerability Exploitation takes an entirely different approach to CVE prioritization:

It scans the attack surface, determining the scope of new and old CVEs and the associated risk.

CPE to CVE mapping to quickly detect vulnerabilities in an organization’s assets.

It assesses the risk of CVEs using MITRE ATT&CK tactics and techniques.

And finally, it provides access to vendor and patch information for quick remediation.

This process is active 24-7, collecting, analyzing, and delivering the latest information, keeping organizations ahead of threat actors. Having all the available and completely updated information about a CVE in the portal makes it easy for the IT department to start working on remediation.

Vulnerability Prioritization with Cybersixgill

Common Vulnerability Scoring System (CVSS) scores rarely change throughout the lifespan of the CVE. The scores are static – a “set it and forget it” measure – based on something that happened in the past.

Compared to that, Cybersixgill monitors DVEs every day, week, and month after they first appear. We continue to monitor any chatter about them – be it on Telegram, Twitter, or the Dark Web – so we can consistently communicate that context to you. We do this in real-time, so we can say yes, that DVE was born two years ago – and here is what threat actors are saying about it today.

No other vendor has access to the sources we have access to, the scope of sources we use, or the collection rates we have. The real-time information we collect directly impacts how we score a DVE, so you can immediately patch the vulnerabilities that carry the highest risk. It also means we will instantly pick up a newly released exploit for a particular vulnerability.

In today’s business world, everyone has vulnerabilities. If they aren’t in your system, they might exist in your partners’ or suppliers’ systems. Our solution is ideal for any business in any industry.

Cybersixgill’s DVE Intelligence gives your cybersecurity or vulnerability management team the confidence to prioritize their patching workflow based on an expanded CVSS score that reflects what is out there in the wild today.

Cybersixgill’s DVE Intelligence benefits are easily quantifiable: it’s fast, precise, and consolidated. In addition, it will hone in on the vulnerabilities that pose the most significant risk to your organization, rationalizing your security stack with a single source of truth.

To find out more about how expanded, real-time DVE Intelligence can help your organization, contact us to schedule a demo. You can also look for a recorded webinar alongside other informative webinars.

You may also like

Man sitting at a desktop computer. The image is distorted and colorized.

March 27, 2024

State of the Underground 2024: Cybercriminal discourse is hiding in the shadows

Read more
PhantomBlu-Blog

March 21, 2024

PhantomBlu Cyberattackers: Backdooring Microsoft Office Users via OLE

Read more
Diving into the Underground thumbnail

March 19, 2024

Take Threat Hunting to the Next Level: Create and manage your dark web persona

Read more