Why You Need to Stop Using CVSS for Vulnerability Prioritization

Most cybersecurity teams rely on the Common Vulnerability Scoring System (CVSS) to prioritize their vulnerability remediation efforts. But, they fail to realize that CVSS is an outdated, ineffective method that causes them to waste the majority of their valuable time on vulnerabilities that pose little to no risk. Here’s what to do instead.

For the past 20 years, security professionals have conducted scans of their business networks to find the vulnerabilities located throughout their IT infrastructures. The scans have been pretty effective at finding these vulns. But, the problem is they discover more vulnerabilities than they can actually handle – and new vulns are discovered more quickly than IT can remediate them. Since they know they’ll never be able to fix everything, the teams end up having to prioritize which vulns to remediate first.

CVSS is failing you

The most common method used for prioritizing remediation efforts is to employ the Common Vulnerability Scoring System (CVSS), an industry standard for assessing the severity of cybersecurity vulnerabilities. CVSS assigns a severity rating between zero and 10, with 10 being the most severe. The score is based on how easily the vulnerability can be exploited and the level of impact if a successful exploit were to occur.

This is all based on the fact that CVSS was never actually intended to be used for prioritization. Instead, it was developed simply to give a sense of each vuln’s severity. But, as organizations faced greater and greater numbers of vulns, they had the overwhelming need to prioritize. And, since there was nothing (at the time) to do that, they latched on to CVSS as at least something they could use. But, since it was never intended to be used in this way, the model doesn’t work particularly well for this purpose, and quickly falls apart.

A theoretical vs actual view of risk

The problem with using CVSS to prioritize remediation efforts stems from the fact that the CVSS base score is typically assigned within two weeks of the vulnerability being discovered – and almost never revisited following that initial assessment – and is therefore limited to a theoretical view of the risk a vulnerability could potentially introduce, rather than an understanding of the actual threat landscape. 

As a result, according to Tenable Research, 56% of all vulnerabilities are scored as High (CVSS score of 7.0–8.9) or Critical (CVSS score of 9.0–10.0), regardless of whether they are likely to ever be exploited. And, since more than 75% of all vulnerabilities with a score of 7 or above have never had an exploit published against them, security teams using CVSS to prioritize their efforts are wasting the majority of their time chasing after the wrong issues.

CVSS scores do not reflect the current threat landscape

Also, since CVSS base scores are static, the score remains exactly the same for years, regardless of changes in the threat landscape. That means that if a vulnerability was initially assigned a base score of 6.0, even if 90 days later it’s successfully exploited in the wild, and even becomes a prolifically exploited vulnerability that leads to billions of dollars in data exfiltration, the CVSS score will remain at the initial 6.0 score.

Conversely, vulnerabilities that receive a low CVSS score will be ignored by teams who are only looking at those with a CVSS score of 7 and above, potentially leaving dangerous vulnerabilities in their environment. In fact, according to Tenable Research, there are nearly as many vulnerabilities with exploit code available that have a CVSS base score between 4 and 6 as there are with a CVSS base score of 7 and above – yet, by policy, those using a CVSS 7+ strategy would ignore these lower-scored vulns, therefore missing many of the most critical vulnerabilities that pose the greatest risk to their business. Consider the example given above with the billions of dollars in data exfiltration. Since the vulnerability was assigned a CVSS base score of 6.0, few organizations would have ever even looked at that vulnerability to assess it for themselves, allowing themselves to fall prey to the cyberattacks that we’d only know in retrospect – after the damage is done. 

CVSS creates a false sense of security

The bottom line is, CVSS has been the industry standard for so long that many security professionals believe it’s the best, if not only, way to prioritize their vulnerability remediation efforts. But, considering the many downfalls of CVSS, it’s easy to see that CVSS is an outdated, ineffective method.

A better way: The need for risk-based vulnerability management

To be effective, security teams need to understand vulnerabilities in the context of business risk, and then use that data to prioritize their remediation efforts. By taking a risk-based approach to vulnerability management, security teams can focus on the vulnerabilities and assets that matter most, so they can address the organization’s true business risk instead of wasting their valuable time on vulnerabilities that have a low likelihood of being exploited. To truly understand the full context of each vulnerability, and therefore make the best decisions, security teams need to correlate the following security data:

• Dozens of essential characteristics of the vulnerability, including the age of the vuln, its potential for harm, the degree to which it’s exploitable and how frequently we’re seeing the threat
• An assessment of current and predicted future attacker activity
• Threat and exploit intelligence from multiple sources
• An assessment of how important the affected asset is to the organization

Of course, parsing through all this data can’t be accomplished by a human being – or even a team of human beings – so automating its correlation and analysis using machine learning algorithms is absolutely essential. Not only is machine learning more accurate, but within seconds, it can effectively deliver a vulnerability priority rating (VPR) for every one of the organization’s vulnerabilities based on the risk each poses to the business.

Taking a risk-based approach to vulnerability management is a far more effective solution because it enables security teams to focus on what matters most – so they can make the biggest impact on risk with the least amount of effort.

To learn more about how risk-based vulnerability management can help you focus your remediation efforts on the vulnerabilities and assets that matter most, visit: https://www.tenable.com/solutions/risk-based-vulnerability-management