This reliance on CVE data leads to a distorted view of an asset’s risk level, making it difficult to prioritize remediation efforts accurately. This also negatively impacts overall organizational risk, while the sheer volume of CVE data wastes time, money, and resources.
In blog two of this series, we explored the idea that vulnerability scanners are dead. While I wouldn’t be so cavalier as to say that CVEs are dead, when it comes to risk prioritization, they are largely obsolete when relied upon in a vacuum.
Does it matter how many CVEs you detect if the device has no controls to remediate them? A modern approach to vulnerability management must transcend the realm of CVEs and encompass exposures related to environmental vulnerabilities. These include gaps like missing endpoint controls, outdated or non-communicative controls, and misconfigurations.
Let’s consider some environmental variables that complement CVEs. For example, is the CrowdStrike EDR installed or missing on a particular endpoint? Is the Automox patch management solution older than the accepted policy of no more than two versions behind? When was the last time CrowdStrike or Automox communicated with their management consoles? Was it two hours, weeks, or months ago, or perhaps they have never communicated with the management consoles?
Correlating CVEs with environmental variables gives much greater insight into the actual risk of a particular asset. Start layering in identity information and application variables, and prioritization gets quite robust. However, there are even more layers for correlation that enhance the risk prioritization score, such as business context, which we’ll discuss further in the next blog.
Book a demo and see for yourself https://www.sevcosecurity.com/book-a-demo/