By: Orika Orrie & Regan van Heerden
In cybersecurity, assessing vulnerabilities accurately is crucial for risk management. However, as researchers Ankur Sand and Syed Islam from JPMorganChase highlighted in their Black Hat Europe 2024 talk, "The CVSS Deception: How We've Been Misled on Vulnerability Severity," relying solely on CVSS scores can be misleading.
The Limitations of CVSS Scores
CVSS (Common Vulnerability Scoring System) provides a numerical severity score based on exploitability and impact. While useful as a baseline, it has several key shortcomings:
- Oversimplified Impact Metrics: CVSS assigns equal weight to confidentiality, integrity, and availability, potentially downplaying risks that may be more significant in each organization.
- Lack of Context: Scores do not consider real-world environments, security controls, or asset importance, making them unreliable for prioritization.
- Aggregated Impact Scores: A vulnerability with high confidentiality impact but low availability impact may receive a moderate score, even if the potential risk is severe.
- No Real-Time Insights: CVSS does not account for factors such as active exploitation, available mitigations, or environmental adjustments that may influence prioritization.
Enhancing Risk Assessment Beyond CVSS
To improve vulnerability management, organizations should incorporate additional risk factors:
- Threat Intelligence: Identifying whether a vulnerability is actively exploited in the wild helps prioritize remediation efforts.
- Asset Criticality: The impact of a vulnerability depends on the importance of the affected system within the organization.
- Compensating Controls: Security measures in place may mitigate certain risks, reducing the urgency of remediation.
HTCD’s Approach to Smarter Prioritization
While CVSS provides a useful starting point, HTCD enhances risk assessment by integrating additional insights and prioritization methodologies tailored to each organization’s needs. Our approach includes:
Impact and Exposure Scoring
Before prioritizing vulnerabilities, we calculate an impact score for each finding type (vulnerability or misconfiguration) based on severity levels. Similarly, we assess exposure by summing severity scores across all affected resources.
Data-Driven Prioritization
We aggregate additional datasets, including:
- The spread of finding types across multiple cloud environments
- The age of findings on different resources
- External threat intelligence, such as EPSS scores and exploit activity
- Compliance relevance, ensuring findings align with regulatory requirements
AI-Powered Ranking
We leverage a multi-stage LLM system to generate a ranked list of critical findings using a merge-sort algorithm. This ensures findings are prioritized based on real-world impact.
Adaptive Scoring Refinement
Once prioritization is complete, we recalibrate impact and exposure scores to reflect updated severity assessments, ensuring alignment with the latest risk insights.
Moving Beyond Static Scores
CVSS remains a foundational tool, but modern security requires a more dynamic approach. By incorporating real-world context, organizations can focus on vulnerabilities that pose the most significant threats, optimizing their security posture effectively.
At HTCD, we empower organizations with a risk-based approach to vulnerability management, ensuring security teams focus on what truly matters.
