December 8, 2023 By Drew Roy 5 min read

With over 20,000 Common Vulnerabilities and Exposures (CVEs) being published each year1, the challenge of finding and fixing software with known vulnerabilities continues to stretch vulnerability management teams thin. These teams are given the impossible task of driving down risk by patching software across their organization, with the hope that their efforts will help to prevent a cybersecurity breach. Because it is impossible to patch all systems, most teams focus on remediating vulnerabilities that score highly in the Common Vulnerability Scoring System (CVSS)—a standardized and repeatable scoring system that ranks reported vulnerabilities from most to least critical.  

However, how do these organizations know that focusing on software with the highest scoring CVEs is the right approach? While it’s nice to be able to report to executives about the number or percentage of critical severity CVEs that have been patched, does that metric actually tell us anything about the improved resiliency of their organization? Does reducing the number of critical CVEs significantly reduce the risk of a breach? The answer is that, in theory, the organization is reducing the risk of a breach—but, in practice, it’s impossible to know for sure.  

CISA Known Exploited Vulnerabilities to strengthen cybersecurity resilience 

The Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) program was formed as a result of the desire to shift efforts away from focusing on theoretical risk and toward reducing breaches. CISA strongly advises that organizations should regularly review and monitor the Known Exploited Vulnerabilities catalog and prioritize remediation.2 By maintaining an updated list, CISA aims to provide an “authoritative source of vulnerabilities that have been exploited in the wild” and empower organizations to mitigate potential risks effectively in order to stay one step ahead in the battle against cyberattacks. 

CISA has managed to find needles in a haystack by narrowing the list of CVEs that security teams should focus on remediating, down from tens-of-thousands to just over 1,000 by focusing on vulnerabilities that:  

  • Have been assigned a CVE ID
  • Have been actively exploited in the wild
  • Have a clear remediation action, such as a vendor-provided update

This reduction in scope allows overwhelmed vulnerability management teams to deeply evaluate software running in their environment that has been reported to contain actively exploitable vulnerabilities because they are proven attack vectors—and therefore, the most likely sources of a breach.  

Shifting from traditional vulnerability management to risk prioritization 

With a smaller list of vulnerabilities from CISA KEV driving their workflows, it has been observed that security teams are spending less time on patching software (a laborious and low-value activity) and more time understanding their organization’s resiliency against these proven attack vectors. In fact, many vulnerability management teams have swapped patching for testing to determine if:  

  • These vulnerabilities from CISA KEV can be exploited in software in their environment.
  • The compensating controls they have put in place are effective at detecting and blocking breaches. This allows teams to understand the real risk facing their organization while simultaneously assessing if the investments they have made in security defense solutions are worthwhile. 

This shift toward testing the exploitability of vulnerabilities from the CISA KEV catalog is a sign that organizations are maturing from traditional vulnerability management programs into Continuous Threat Exposure Management (CTEM)—a term coined by Gartner—programs which “surface and actively prioritize whatever most threatens your business.” This focus on validated risk instead of theoretical risk means that teams are acquiring new skills and new solutions to help support the execution of exploits across their organization.   

The importance of ASM in gathering continuous vulnerability intelligence   

An attack surface management (ASM) solution provides a comprehensive view of an organization’s attack surface and helps you clarify your cyber risk with continuous asset discovery and risk prioritization. 

Continuous testing, a key pillar of CTEM, states that programs must “validate how attacks might work and how systems might react” with a goal of ensuring that security resources are focusing their time and energy on the threats that matter most. In fact, Gartner asserts that “organizations that prioritize based on a continuous threat exposure management program will be three times less likely to suffer a breach.”3 

Maturing our cybersecurity defense mindset to CTEM programs represents a significant improvement over traditional vulnerability management programs because it gets defenders tackling the issues that are most likely to lead to a breach. And stopping breaches should be the goal because the average cost of a breach keeps rising. The costs increased by 15% over the last three years to USD 4.45 million according to the Cost of a Data Breach report by IBM. So, as qualified resources continue to be hard to find and security budgets become tighter, consider giving your teams a narrower focus, such as vulnerabilities in the CISA KEV, and then arm them with tools to validate exploitability and assess the resiliency of your cybersecurity defenses. 

Verifying exploitable vulnerabilities with the IBM Security Randori 

IBM Security® Randori is an attack surface management solution that is designed to uncover your external exposures through the lens of an adversary. It performs continuous vulnerability validation across an organization’s external attack surface and reports on any vulnerabilities that can be exploited.

Figure 1. Randori’s risk-based priority algorithm helps prioritize top targets and shares adversarial insights you need to determine impact and risk 

In December 2019, Armellini Logistics was the target of a sophisticated ransomware attack. While the company quickly and successfully recovered from the attack, it was determined to adopt a more proactive approach to prevention moving forward. With Randori Recon, Armellini has been able to gain deeper visibility into external risk and ensure that the company’s asset and vulnerability management systems are updated as new cloud and SaaS applications come online. Increasingly, Armellini has been using Randori Recon’s target temptation analysis to triage and prioritize which vulnerabilities to patch. With this insight, the Armellini team has helped to reduce the company’s risk without impacting business operations. 

Figure 2: Randori helps confirm whether CVEs exist on your external attack surface and are exploitable 

The vulnerability validation feature goes beyond typical vulnerability management tools and programs by verifying the exploitability of a CVE, such as CVE-2023-7992, a zero-day vulnerability in Zyxel NAS devices that was discovered and reported by the IBM X-Force Applied Research team. This verification helps reduce noise and allows customers to act on real—not theoretical—risks and determine if mitigation or remediation efforts were successful by re-testing.  

Get started with IBM Security Randori 

You can get a free, 7-day trial of IBM Security Randori, or request a live demo to review your attack surface.

Learn more about IBM Security Randori Recon 

1 Published CVE Records.

2 Known Exploited Vulnerabilities Catalog.

3 Panetta, Kasey (2023, August 21), How to Manage Cybersecurity Threats, Not Episodes.

Was this article helpful?

More from Security

Data protection strategy: Key components and best practices

8 min read - Virtually every organization recognizes the power of data to enhance customer and employee experiences and drive better business decisions. Yet, as data becomes more valuable, it's also becoming harder to protect. Companies continue to create more attack surfaces with hybrid models, scattering critical data across cloud, third-party and on-premises locations, while threat actors constantly devise new and creative ways to exploit vulnerabilities. In response, many organizations are focusing more on data protection, only to find a lack of formal guidelines and…

What you need to know about the CCPA draft rules on AI and automated decision-making technology

9 min read - In November 2023, the California Privacy Protection Agency (CPPA) released a set of draft regulations on the use of artificial intelligence (AI) and automated decision-making technology (ADMT). The proposed rules are still in development, but organizations may want to pay close attention to their evolution. Because the state is home to many of the world's biggest technology companies, any AI regulations that California adopts could have an impact far beyond its borders.  Furthermore, a California appeals court recently ruled that…

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters