The concept of vulnerability management has been around for quite some time now – dating back to the late 1990’s when NIST started cataloging vulnerabilities and tools like Nessus first became available. The idea at the time was that if you could identify your vulnerabilities, you would then easily fix all of them and avoid known exploits. Outside of the periodic zero-day vulnerability, these practices would generally keep an organization exploit-free.
But the pace of vulnerability disclosures steadily grew in the following decades. Software became more complex, enterprises went through multiple iterations of “digital transformation” and it became necessary to prioritize. Then came 2017, when NIST expanded the CVE (Common Vulnerability Enumeration) Numbering authorities which led to an associated explosion in new vulnerabilities being disclosed.
Other macro trends led to an increase in the volume of vulnerability disclosures – including cloud technologies (especially containerization), IoT, the need to understand vulnerabilities in opensource libraries to support dev-sec-ops, and mobile device security. Also, technology within organizations contributed to a technical debt of software vulnerabilities – in particular from specialty software with dependencies on outmoded operating systems or platforms – and has piled up over the years. Combine this with recent advances in automating around software inventories and the problem of vulnerabilities is compounded even further.
The effect on threat actors has also been profound. Malicious hackers use about 3% of software vulnerabilities in exploits – meaning they have a universe of vulnerabilities to choose from. The front-page attacks of 2009-2010: Stuxnet, Duqu, Aurora – all of which used previously undiscovered vulnerabilities – are replaced with front-page attacks in 2020-2021 such as Ryuk, Netwalker, various CozyBear campaigns, and others that rely on known vulnerabilities. For example, in October of 2020, the National Security Agency released a list of 25 software vulnerabilities actively exploited by Chinese nation-state hackers, 44% of which were previously deemed non-critical by NIST.
Unfortunately, the attitude of “why don’t they just patch” has persisted despite the explosion in the size of the problem on multiple fronts. Unfortunately, CISO’s and CIO’s still face serious career risks when an organization suffers a breach due to a known vulnerability. Unrealistic expectations on vulnerability and patch management fuel this problem.
In the middle of all this is NIST and the CVSS numbering system for scoring vulnerabilities. Peer-reviewed studies have repeatedly shown it does no better than random guess at predicting what vulnerabilities will be exploited in the future. Further, about 60% of vulnerabilities are ranked as high or critical – and very few (about 1%) are considered “low”. This is despite the very small fraction of vulnerabilities used in actual attacks (shown to be about 3%). In short, NIST CVSS is too much and too little at the same time – it’s ranking a large number of vulnerabilities at a high level but not properly triaging them in a way that’s predictive of actual threat. Now the CVSS may never have been intended to be predictive of exploitation – but the reality is that it is treated as such.
Machine learning offers a way forward. Intelligence gathered on vulnerabilities is well-known to provide indicators prior to exploitation. However, intelligence shops are handicapped by the sheer number of vulnerabilities. The use of AI, machine learning, and big data methods to support intelligence analysis were funded over the past decade by the US military to enhance counter-terror and counter-insurgent operations. These ideas have recently been applied to the problem of vulnerability management and can allow the intelligence process to scale to the volume of vulnerabilities. Further, the machine learning methods – especially of the supervised variety – are not a static ranking system for prioritizing vulnerabilities, but an ever-evolving system adapting to threat actor discussions and activities. This is why we believe that machine learning is key to addressing the challenges of vulnerability management.