Vulnerability management is a whac-a-mole pursuit for many organizations, but federal authorities are trying to change that.
The Cybersecurity and Infrastructure Security Agency on Thursday released its guide for Stakeholder-Specific Vulnerability Categorization and outlined three areas of focus for continued improvement.
The vulnerability-patch cycle places a heavy burden on cybersecurity professionals, and many organizations struggle to identify and patch the vulnerabilities that are most critical to their business and risk profile.
To improve vulnerability management, organizations need greater automation in line with the Common Security Advisory Framework (CSAF), widespread adoption of the Vulnerability Exploitability eXchange (VEX) and resource prioritization, Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a blog post.
CISA’s push to make vulnerability data machine-readable could allow organizations to automate mitigation and patch processing and deploy resources in line with their respective risk profile.
“By publishing security advisories using CSAF, vendors will dramatically reduce the time required for enterprises to understand organization impact and drive timely remediation,” Goldstein said in the blog post.
The impact of a vulnerability can also be clarified through VEX advisories that indicate which products are affected and if vulnerabilities are exploitable. “The ultimate goal of VEX is to support greater automation across the vulnerability ecosystem, including disclosure, vulnerability tracking and remediation,” Goldstein said.
Organizations can prioritize vulnerability management activities based on the SVCC, which outlines exploitation status and other pertinent information.
Once CISA becomes aware of a vulnerability, it assigns a score and tags one of four possible decisions to that vulnerability: track, track (with closer monitoring for changes), attend or act.
The agency published a calculator and decision tree to guide organizations through the likelihood of exploitation and potential impact to a mission or well-being.
Cybersecurity pros support CISA’s vulnerability approach
Analysts and threat researchers view CISA’s vulnerability categorization effort as a necessary step to help organizations better understand their risk. The resource could also provide businesses the opportunity to patch or remediate the most pressing vulnerabilities before adversaries create a working exploit.
“Cybersecurity professionals are currently struggling in the vulnerability-patch cycle with too much information about too many vulnerabilities on too many products from too many different sources in too many forms,” Christopher Budd, senior manager of threat research at Sophos, said via email.
CISA’s vulnerability management advances will increase efficiency by making the process more standardized and using machine intelligence to process and analyze information, Budd said.
Andrew Barratt, VP of technology and enterprise accounts at cybersecurity advisory firm Coalfire, said the decision tree will help organizations categorize vulnerabilities and prioritize action. It also allows for multiple vulnerability impacts to be considered as part of an attack chain.
“As threats are very dynamic by their nature it's important that this data can have real-time, intelligence based updates made so that a decision outcome can be adjusted. What we thought might be the case yesterday might not be the case tomorrow,” Barratt said via email.
Vulnerability management often requires significant manual effort and a “common framework can allow for universal communication and automation to rapidly speed up our time to respond,” John Bambenek, principal threat hunter at Netenrich, said via email.