The Limitations of Existing Methods of Prioritization

2. Limitations of Existing Methods of Prioritization

While methods like CVSS, EPSS, and KEV provide frameworks for vulnerability assessment, several limitations persist in existing prioritization practices:

Narrow Focus on Software Vulnerabilities: Traditional methods primarily concentrate on software vulnerabilities, neglecting broader environmental vulnerabilities that can affect an organization’s security posture.

Lack of Comprehensive Asset Understanding: Many organizations fail to account for all assets within their environments, especially those that lack monitoring tools. This oversight can lead to critical vulnerabilities being entirely ignored.

Insufficient Contextual Awareness: Existing methods often do not consider the context surrounding individual assets, such as their security posture, existing mitigations, and operational significance. This context is essential for accurately assessing risk.

Dependency on Manual Processes: Many organizations still rely on manual prioritization processes, resulting in inconsistencies and potential oversights, particularly in larger environments with extensive asset inventories.

CVE Aggregation Before Prioritization

Understanding the limitations of the existing scoring and prioritization models, a number of Vulnerability Prioritization Technology (VPT) vendors have emerged to help organizations aggregate vulnerability data from different sources and integrate with outbound remediation processes. However, many of these tools don’t understand or have full visibility into the assets in the environment as they are relying on the data from the other sources. If a critical control (such as an EDR agent) is missing on an asset or if a vulnerability scanner is missing a system it doesn’t see, these may be missing critical vulnerabilities.