Reliance on CVE data as the foundation of a vulnerability and exposure management strategy can lead to an incomplete view of vulnerabilities, making it difficult to prioritize remediation efforts accurately. This also negatively impacts overall organizational risk, while the sheer volume of CVE data wastes time, money, and resources.
In blog two of this series on vulnerability and exposure management, we explored the idea that vulnerability scanners are dead. While I wouldn’t be so cavalier as to say that CVEs are dead, when it comes to risk prioritization, they are largely obsolete when relied upon in a vacuum.
Does it matter how many CVEs you detect if the device has no controls to remediate them? A modern approach to vulnerability and exposure management must transcend the realm of CVEs and encompass exposures related to environmental vulnerabilities. These include gaps like missing endpoint controls, outdated or non-communicative controls, misconfigurations, end-of-life systems, and shadow IT.
Let’s consider some environmental variables that complement CVEs. For example, is the CrowdStrike EDR agent installed or missing on a particular endpoint? Is the Automox patch management solution older than the accepted policy of no more than two versions behind? When was the last time CrowdStrike or Automox communicated with their management consoles? Was it two hours, two weeks, or two months ago, or perhaps they have never communicated with the management consoles?
Correlating CVEs with environmental variables gives security teams much greater insight into the actual risk of a particular asset and broadens the scope of vulnerability and exposure management. Start layering in identity information and application variables, and prioritization gets quite robust. However, there are even more layers for correlation that enhance the risk prioritization score, such as business context, which we’ll discuss further in the next blog.
Book a demo and see for yourself https://www.sevcosecurity.com/book-a-demo/