Written ‘by Vinoth Venkatesan.
We witnessed growth in the number of vulnerabilities, and in 2021 we noticed a surge in new vulnerabilities, and threat actors became better at weaponizing vulnerabilities every day. To survive the threat actors, timely and well-managed vulnerability prioritization and remediation are goals all organizations should aim to achieve.
The agency (CISA) frequently alerts the industry on the most exploited vulnerabilities and regularly updates them for everyone to consume. Even with these valuable data and resources, organizations usually stumble when deciding which exposure should be remediated first.
To help the industry and satisfy its needs, the agency worked with Carnegie Mellon University to promote the Stakeholder-Specific Vulnerability Categorization (SSVC) system.
Hope for the better vulnerability management
Below are the three pillars that need to come together for better vulnerability management.
- Automation – The Common Security Advisory Framework (CSAF) is a standardized format for ingesting vulnerability advisory information and simplifying triage and remediation processes for asset owners.
- Vulnerability Impact – This roots in vendors issuing a Vulnerability Exploitability eXchange (VEX) advisory indicating either their product or version of the product(s) impacted by the specific vulnerability or not in a machine-readable format.
- Remediation Priority – SSVC Calculator and the SSVC guide enables the users to input values and navigate through the SSVC tree model to the final decision for a vulnerability affecting their organization, thus helping the prioritization.
Organizations whose vulnerability categorization differs from CISA’s decision tree can leverage the other proposal from Carnegie Mellon University’s decision models.
Which one – CVSS or SSVC, or Both?
Everyone in the cybersecurity industry realizes that CVSS scores can’t be exclusively consumed to prioritize vulnerability remediation.
Context matters, and SSVC has done fantastic work enumerating all the factors that should be included in defining how to deal with vulnerabilities in any given environment. CISA’s work is encompassing and should be valued in pushing more relevant details to allow organizations to more effortlessly digest and implement vulnerability management policies that reflect the goals of the SSVC framework.
Carnegie Mellon University’s Software Engineering Institute also hosts SSVC code in its GitHub section. This will be a good source if you want to implement the decision tree in your environment.
About the Author:
Vinoth Venkatesan
Vinoth is a cybersecurity professional with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.