The patching paradox: vulnerability scoring leads to slower high-risk remediation

Opinion by Davey Winder

Companies focused on compliance tended to struggle to patch all high-risk vulnerabilities across their organisation and tended to be slower in patching high-risk vulnerabilities. Those performing better used....

Organisations with mature and well-funded vulnerability management programmes unsurprisingly tend to patch vulnerabilities quicker than those without. Perhaps more surprising, though, a new report from Kenna Security also found that this didn't equate to patching the riskiest of vulnerabilities first.

Indeed, volume four of Kenna’s Prioritization to Prediction report series, produced in conjunction with the Cyentia Institute, found that bigger budgets do not necessarily translate into better vulnerability remediation capacity.

"Companies that used the Common Vulnerability Scoring System (CVSS) to prioritise vulnerabilities for remediation tended to be slower in patching high-risk vulnerabilities," the report states, continuing "the companies focused on compliance tended to struggle to patch all high-risk vulnerabilities across their organisation."

Ed Bellis, CTO at Kenna Security, says that those companies orienting patch programmes around real-world threat information perform better than those that don't. "The report also shows that compliance-based prioritisation and CVSS standards for threat scoring negatively impact the ability to identify and patch the threats that matter most," Bellis concludes.

SC Media UK spoke to Sean Wright, security researcher and Open Web Application Security Project (OWASP) Scotland chapter leader, to ask just how enterprises can solve the patching paradox and ensure that the riskiest vulnerabilities are patched first and patched properly?

"One thing which organisations do when it comes to CVSS is focus too much on the overall score as a means of assessing the risk which it poses to them," Wright told SC Media, "take example HeartBleed, it only scored a Medium (5.0). Yet this vulnerability posed a significant risk to many organisations."

Wright thinks that businesses should be pressing for the CVSS vector to come up with improved judgement on what real-world risk a vulnerability has, and how it will impact the enterprise. He admits that each vulnerability will likely present a different level of risk to different organisations, of course, which muddies the waters somewhat.

If your organisation still wants to use the overall CVSS score, then it is recommended that the NIST CVSS calculator is put to work. However, use this to adjust the Environment Score Metrics to better suit the risk the vulnerability poses to your specific enterprise. Don't just rely upon a focus on the overall CVSS score, in other words. Which confirms the Kenna Security viewpoint that real-world threat information is essential to solving the patching paradox.

"I know some are against CVSS, and I get some of their arguments," Wright told SC Media UK, "but it's the best thing we have at the moment, and the value the CVSS vector provides is enormous."

Which Wright went on to explain, means that it helps those trying to gauge the level of risk with the relevant information to do so. Things like 'is this vulnerability accessible for the network?' and 'what impact does a successful exploit of this vulnerability entail?' or 'is authentication required?' for example.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews