The Limitations of Existing Methods of Vulnerability Prioritization
2. Limitations of Existing Methods of Prioritization
While methods like CVSS, EPSS, and KEV provide frameworks for vulnerability assessment, several limitations persist in existing vulnerability prioritization practices:
Narrow Focus on Software Vulnerabilities: Traditional methods primarily concentrate on software vulnerabilities (CVEs), neglecting broader environmental vulnerabilities such as missing or misconfigured agents, end-of-life systems, cloud misconfigurations, shadow IT, and more. Taking a broader view of vulnerabilities is required to improve an organization’s security posture.
Lack of Comprehensive Asset Understanding: Many organizations fail to account for all assets within their environments, especially those that are missing from monitoring tools. This oversight can lead to critical vulnerabilities being entirely missed and leave significant exposure.
Insufficient Contextual Awareness: Existing methods often do not consider the context surrounding individual assets, such as their security posture, existing mitigations, and operational significance. This context is essential for accurately assessing risk and vulnerability prioritization.
Dependency on Manual Processes: Many organizations still rely on manual vulnerability prioritization processes. These processes are time consuming and can result in inconsistencies and potential oversights, particularly in larger environments with extensive asset inventories.
CVE Aggregation Before Prioritization
Understanding the limitations of the existing scoring and vulnerability prioritization models, a number of Vulnerability Prioritization Technology (VPT) vendors have emerged to help organizations aggregate vulnerability data from different sources and integrate with outbound remediation processes.
However, many of these tools don’t have full visibility into the assets in the environment as they are relying on the data from the other sources. If a critical control (such as an EDR agent) is missing on an asset or if a vulnerability scanner is missing a system it doesn’t see, these may be missing critical vulnerabilities.