Feb 24, 2023
Stop Prioritizing Vulnerabilities by CVSS Score: Use These 3 Approaches Instead
Many organizations rely on the Common Vulnerability Scoring System (CVSS) to measure the severity of vulnerabilities, which — in theory — makes it easy to compare and understand potential risks. However, relying solely on CVSS scores without considering the business objectives and strategies unique to each organization can lead to misalignment with security goals.
That’s because the CVSS system can overstate the severity of certain vulnerabilities, and teams that link SLAs to CVSS scores may not accurately reflect the actual risk a given vulnerability poses to your business. Organizations that rely solely on these scores do so at their peril since the scores do not take into account if and how vulnerabilities are being exploited or any potential impacts they may have on specific business processes.
A better approach is to assess vulnerability risk by considering:
- The business context of the asset
- The likelihood of the threat being exploited in your environment
- Any compensating controls already in place
Considering the combination of these three attributes will better position your organization to effectively prioritize risks than relying solely on CVSS.
Prioritization Approach #1: What is the business context?
Each vulnerability has an associated asset to which it pertains. Organizations should prioritize vulnerabilities based on that asset’s relative importance to the business. A CVSS score does not include this business context.
You can improve your ability to effectively prioritize risk using business context by asking yourself key questions, including:
- Is the affected asset part of a critical line of business? Or is it, for example, a development sandbox?
- Is the asset subject to any specific regulatory requirements for which the organization could incur penalties for non-compliance?
- If the asset is breached, how big would the blast radius be? (A single compromised laptop is far less severe than a compromised database filled with customers’ PII.)
While these questions are simple to ask, they can be increasingly difficult for organizations to answer for two primary reasons:
- The number of assets and asset types is expanding rapidly due to advances in software development and the adoption of cloud
- Organizationally, a different team is responsible for securing assets than the teams that own and maintain the assets. Shadow IT and shadow development are more prevalent than ever. In other words, it’s hard for everyone to keep up and maintaining an updated asset inventory is challenging.
To achieve a better understanding of the business context of assets for purposes of vulnerability prioritization, your organization should strive to group technologies into “business services.” This way you can map low-level assets, such as containers or code repositories, back to a line of business and business application. In addition to providing an important signal for your vulnerability prioritization, this approach also will help you gain executive buy-in by speaking the language of the business when discussing specific risks, their priority for remediation, and who owns fixing it. CVSS doesn’t incorporate any of this important context, which is why you can’t rely on CVSS alone to prioritize vulnerabilities.
Prioritization Approach #2: How likely is the threat?
Incorporating threat likelihood into vulnerability prioritization requires your organization to understand how a threat acts, its opportunity, and its context. Doing this is critical for CISOs and vulnerability teams to prioritize their remediation efforts and reduce the risk of successful attacks against the business.
According to Recorded Future, cyberthreat intelligence helps identify the vulnerabilities that pose an actual risk to your organization. This intelligence goes beyond CVSS scoring by combining internal vulnerability scanning data, external data, and additional context about threat actors’ tactics, techniques and procedures. These additions matter because effective vulnerability management means shifting from a “patch everything, all the time” approach — which is unrealistic — to prioritizing vulnerabilities based on actual risk.
The exploitability metrics of CVSS severity base scores also address attack ease based on attack vectors, complexity, necessary privileges, and user interaction. Additionally, context — including predictive models that incorporate discussions that have taken place about vulnerabilities against specific software configurations, vendor products, and when victims disclosed vulnerabilities — can indicate a potential likelihood of attack.
Even so, what CVSS provides isn’t enough. You still need to evaluate what this means for your business. How exploitable is the threat in your environment? CVSS scores don’t consider that.
Prioritization Approach #3: Do you have compensating controls in place?
Acknowledging any compensating controls that exist when prioritizing vulnerabilities is another way to ensure you remediate the greatest threats to the business first. Compensating controls are security measures put in place to prevent, detect and respond to potential exploits. After considering the inherent risk, these controls determine the residual risk of a vulnerability, which is determined by the asset’s business context and threat likelihood. To prioritize compensating controls, organizations should evaluate their effectiveness in mitigating vulnerability risks.
There are three primary types of compensating controls:
- Proactive controls
- Detection controls
- Reactive controls
Proactive controls are measures put in place to prevent exploitation of vulnerabilities, such as strong identity and access policies, multi-factor authentication, security training, and data security practices.
Detection controls involve logging capabilities, vendor signature updates, and personnel who review alerts to detect anomalies that could threaten critical business processes, sensitive data, or organizational objectives.
Reactive controls determine an organization’s ability to respond to a potential intrusion. To understand their reactive capacity and capability, vulnerability teams should evaluate the strengths and weaknesses of the organization’s SOC team, processes, playbooks and automation.
CVSS scores don’t account for your compensating controls. You might identify a critical vulnerability based solely on its CVSS score, but what if the vulnerable asset is behind a firewall and has strong access controls? In that case, for you, it is not a critical vulnerability. In the worst scenarios, assigning vulnerabilities like these as “critical” erodes trust with stakeholders over the long term because they start to see the security team as “the boy who cried wolf.”
For best results, combine multiple prioritization approaches
While many organizations commonly use CVSS to evaluate the severity of vulnerabilities, it’s important to remember CVSS is not the most accurate measure of risk for your business. These scores are general and cannot acknowledge your organization’s specific goals and strategies. That’s why strictly following CVSS scores can create misalignment with security objectives.
So, what should you do? All of the above. The best approach to prioritizing risk is to analyze vulnerabilities through a lens that combines the three approaches: asset business context, threat likelihood, and compensating controls. It’s best to incorporate these three approaches into a single risk score personalized for your business. While you can do that manually, it’s best to produce these scores programmatically for scale and consistency, which – in turn – creates trust between security teams and the IT and development teams they rely on to fix vulnerabilities.
To learn more, read how a Fortune 500 company elevated its vulnerability risk management conversations by using risk scores — not CVSS — as the basis for its new remediation strategy.
