Integrating CISA Tools for Effective Vulnerability Management: Vulnerability management teams struggle to detect and update software with known vulnerabilities with over 20,000 CVEs reported annually. These teams must patch software across their firm to reduce risk and prevent a cybersecurity compromise, which is unachievable. Since it’s hard to patch all systems, most teams focus on fixing vulnerabilities that score high in the CVSS, a standardized and repeatable scoring methodology that rates reported vulnerabilities from most to least serious.
However, how do these organizations know to prioritize software with the highest CVE scores? It’s wonderful to talk to executives about the number or percentage of critical severity CVEs fixed, but does that teach us anything about their organization’s resilience? Does decreasing critical CVEs greatly reduce breach risk? In principle, the organization is lowering breach risk, but in fact, it’s hard to know.
To increase cybersecurity resilience, CISA identified exploited vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) initiative was created to reduce breaches rather than theoretical risk. CISA strongly urges businesses to constantly evaluate and prioritize remediation of the Known Exploited Vulnerabilities catalog. By updating its list, CISA hopes to give a “authoritative source of vulnerabilities that have been exploited in the wild” and help firms mitigate risks to stay ahead of cyberattacks.
- CISA has narrowed the list of CVEs security teams should remediate from tens-of-thousands to just over 1,000 by focusing on vulnerabilities that:
- Been assigned a CVE ID and actively exploited in the wild
- Have a clear fix, like a vendor update.
This limitation in scope allows overworked vulnerability management teams to extensively investigate software in their environment that has been reported to contain actively exploitable vulnerabilities, which are the most likely breach origins.
Rethinking vulnerability management to prioritize risk
With CISA KEV’s narrower list of vulnerabilities driving their workflows, security teams are spending less time patching software (a laborious and low-value task) and more time understanding their organization’s resiliency against these proven attack vectors. Many vulnerability management teams have replaced patching with testing to see if:
- Software in their surroundings can exploit CISA KEV vulnerabilities.
- Their compensatory controls identify and prevent breaches. This helps teams analyze the genuine risk to their organization and the value of their security protection investments.
This shift toward testing CISA KEV catalog vulnerabilities shows that organizations are maturing from traditional vulnerability management programs to Gartner-defined Continuous Threat Exposure Management (CTEM) programs that “surface and actively prioritize whatever most threatens your business.” This focus on proven risk instead of theoretical risk helps teams learn new skills and solutions to execute exploits across their enterprise.
ASM’s role in continuous vulnerability intelligence
An attack surface management (ASM) solution helps you understand cyber risk with continuous asset discovery and risk prioritization.
Continuous testing, a CTEM pillar, requires programs to “validate how attacks might work and how systems might react” to ensure security resources are focused on the most pressing risks. According to Gartner, “organizations that prioritize based on a continuous threat exposure management program will be three times less likely to suffer a breach.”
CTEM solutions strengthen cybersecurity defenses above typical vulnerability management programs by focusing on the most likely breaches. Stopping breaches is important since their average cost is rising. IBM’s Cost of a Data Breach research shows a 15% increase to USD 4.45 million over three years. As competent resources become scarcer and security budgets tighten, consider giving your teams a narrower emphasis, such as CISA KEV vulnerabilities, and equipping them with tools to test exploitability and assess cybersecurity defense robustness.
Checking exploitable vulnerabilities using IBM Security Randori
IBM Security Randori, an attack surface management solution, finds your external vulnerabilities from an adversarial perspective. It continuously validates an organization’s external attack surface and reports exploitable flaws.
A sophisticated ransomware attack hit Armellini Logistics in December 2019. After the attack, the company recovered fast and decided to be more proactive in prevention. Armellini uses Randori Recon to monitor external risk and update asset and vulnerability management systems as new cloud and SaaS applications launch. Armellini is increasingly leveraging Randori Recon’s target temptation analysis to prioritize vulnerabilities to repair. This understanding has helped the Armellini team lower company risk without affecting business operations.
In addition to managing vulnerabilities, the vulnerability validation feature checks the exploitability of CVEs like CVE-2023-7992, a zero-day vulnerability in Zyxel NAS systems found and reported by IBM X-Force Applied Research. This verification reduces noise and lets clients act on genuine threats and retest to see if mitigation or remediation worked.
