The Details and the Dilemmas that the National Vulnerability Database Poses to Organizations
With breaches, hacks, and malware featured prominently across news headlines worldwide, organizations are pressed to find ways to defend their network and the information that passes through it. While there are innumerable ways to find the vulnerabilities present across an organization’s network, how are they supposed to determine what vulnerabilities require prioritized remediation? The real problem is not just understanding the severity of the vulnerability and validating if the organization is exposed to it but keeping up to date on the changing threat landscape and vulnerability news. One commonly used source is the National Vulnerability Database (NVD).
What is the NVD?
The NVD is a repository of collected and analyzed vulnerability management data. The NVD provides detailed information regarding vulnerabilities, including elements such as an overview of what the vulnerability does, what it affects, its Common Vulnerability Scoring System (CVSS) score, and references to advisories, solutions, and tools to assist in remediating the vulnerability. The NVD provides organizations with an abundance of resources to assist them in remediating vulnerabilities. The NVD publishes new vulnerabilities daily, providing organizations with a comprehensive view of new weaknesses. They have a great dashboard view that is easy to read. However, one element of this view points to the problem that both the NVD and organizations face. Vulnerabilities are coming faster and faster, but the underlying information and ongoing analysis requires quite a bit of modification as additional facts are uncovered. Due to this factor, over 60% of the CVEs listed have been modified since their initial reporting. Using the CVE Status Count values in the image below, this percentage was calculated using the following equation: (Modified/Total) x 100 = Percentage Modified.
While the NVD offers organizations useful information regarding new and current vulnerabilities, organizations using the NVD as their primary source of vulnerability data may be overwhelmed and not be able to keep up with the constant change. New vulnerabilities are published daily, with the most critical ones getting attention, but thousands of others have shifted in their criticality and changes in the recommended remediation actions.
With so many vulnerabilities in existence, how are organizations supposed to prioritize which vulnerabilities to fix first? They could remediate vulnerabilities based on their CVSS score, but as time has showed, even low-risk vulnerabilities could easily transform into critical vulnerabilities overnight, leaving organizations scrambling in fixing vulnerabilities when it might already be too late.
Another key factor to note is vulnerability disclosure time latency. In this context, vulnerability disclosure time latency is the delay between a vendor disclosing a vulnerability and the NVD publishing the vulnerability. Relying on only one vulnerability news source can leave an organization more at risk if they only rely on the NVD for vulnerability information.
While the news and information provided by the NVD and others is useful, it doesn’t have the local context that organizations need to move quickly and take the best action. As organizations continue to expand their IT landscape and shift toward new technologies and services, they need to customize their vulnerability and threat ‘news’ that they use to make risk decisions. RiskSense bridges this gap for organizations through vulnerability prioritization, near real-time threat notification, and in-depth vulnerability analysis with the RiskSense Platform. Digesting the most comprehensive vulnerability information and providing the constant clarity of what is relevant and urgent for complex organizations. The Platform consumes and correlates vulnerability scan data, threat feeds, passive threat analysis, and human intelligence to provide organizations with an automatically generated, comprehensive risk score known as the RiskSense Security Score (RS³). This score shows organizations which of their assets, hosts, and/or asset groups are at risk and provides them with prioritized vulnerabilities and remediation tactics, so organizations can optimize their remediation priorities.
RiskSense provides organizations with a compass guiding them to direct their resources in the most effective manner to reduce cyber risk. The Platform gives organizations the means to measure and manage mitigations and maneuver within complex environments to decisively respond to cyber risk exposure. To schedule a demonstration of our Platform, visit www.RiskSense.com.