{"id":3103,"date":"2025-05-09T09:00:00","date_gmt":"2025-05-09T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3103"},"modified":"2025-05-09T09:00:00","modified_gmt":"2025-05-09T09:00:00","slug":"cve-funding-crisis-offers-chance-for-vulnerability-remediation-rethink","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3103","title":{"rendered":"CVE funding crisis offers chance for vulnerability remediation rethink"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A recent funding crisis involving the Common Vulnerabilities and Exposures (CVE) program sent a wave of panic through the cybersecurity community, raising questions among security professionals about how the potential dissolution of the program would impact their approaches to security triage.<\/p>\n

The CVE program<\/a>, which provides a publicly available archive of disclosed vulnerabilities, is highly trusted by security professionals for prioritizing and addressing vulnerabilities in their tech stacks.<\/p>\n

Last month, the MITRE Corporation, which administers the program under contract to the US government\u2019s Cybersecurity and Infrastructure Security Agency (CISA), announced that its funding had been pulled<\/a>, an unprecedented crisis that was ultimately averted when an 11-month funding extension option was exercised by CISA.<\/p>\n

That extension solved the immediate problem without resolving longer-term uncertainty about the future of the CVE program and its funding. As a result, enterprise approaches to security triage still need to be re-evaluated, and systems and processes potentially re-engineered.<\/p>\n

Vulnerability surge<\/h2>\n

CVEs directly affect how defenders learn to detect, identify, and respond to vulnerabilities.<\/p>\n

Last year (2024) marked a sharp increase in published vulnerabilities, with more than 40,000 CVEs disclosed, representing a 38% year-on-year increase, according to a recent study by cyber risk management platform firm Black Kite<\/a>.<\/p>\n

More than 20,000 vulnerabilities had a Common Vulnerability Scoring System (CVSS) score of 7.0 or higher, and over 4,400 were classified as critical (CVSS 9.0+).<\/p>\n

However, CVSS scores alone fall short when attempting to gauge the threat posed by particular vulnerabilities.<\/p>\n

Exploitability, vendor exposure, and supply chain interdependencies play a significant role in determining real-world risk, according to Black Kite\u2019s Research & Intelligence Team (BRITE).<\/p>\n

\u201cTraditional vulnerability management says: Patch the loudest alert,\u201d Ferhat Dikbiyik<\/a>, chief research and intelligence officer of Black Kite, told CSO. \u201cBut that\u2019s no match for ransomware gangs who weaponize a vulnerability days after disclosure and use your vendors to walk right in.\u201d<\/p>\n

Dikbiyik added: \u201cYou need three questions for every CVE: Can it be exploited? Is it exposed online? And how deep does it run in our supply chain? That\u2019s the shift \u2014 from CVSS to real-world risk.\u201d<\/p>\n

The warning follows earlier security research from merchant bank JPMorganChase<\/a>, which pointed to various flaws in the CVSS vulnerability scoring system<\/a>.<\/p>\n

For example, CVSS scores fail to account for contextual factors such as the environment in which a vulnerability exists or whether it has been actively exploited in the wild, the researchers told delegates at last year\u2019s Black Hat Europe conference.<\/p>\n

Automatic for the people<\/h2>\n

AI technologies could act as a temporary bridge for vulnerability triage \u2014 but not a replacement for a stable CVE system, according to experts consulted by CSO.<\/p>\n

\u201cAutomation and AI-based tools can also enable real-time discovery of new vulnerabilities without over-relying on standard CVE timelines,\u201d said Haris Pylarinos, founder and chief executive of cybersecurity training program Hack The Box. \u201cOrganizations that continue to be resilient are the ones that consider vulnerability management as an ongoing, multi-layered process underpinned by continuous threat exposure management \u2014 not a quick, single-source solution.\u201d<\/p>\n

Risk management<\/h2>\n

Rik Ferguson, vice president of security intelligence at cybersecurity vendor Forescout, warned that organizations relying principally or solely on the CVSS metric to prioritize their vulnerability remediation programs need to rethink their approach.<\/p>\n

\u201cRisk without context is just noise,\u201d Ferguson told CSO. \u201cIntelligence without relevance is just data.\u201d<\/p>\n

\u201cUnderstanding third-party exposure is essential, but what\u2019s often missing in these analyses is the operational context,\u201d Ferguson added.<\/p>\n

With so many vulnerabilities, assets, and suppliers in play, especially in environments that include OT<\/a>, IoT, and medical devices, prioritization quickly becomes overwhelming.<\/p>\n

Vulnerability management has moved far beyond managing Microsoft\u2019s Patch Tuesday<\/a> updates, penetrative software, and network device security updates. Businesses need to be concerned about accounting for software a vendor hasn\u2019t patched in six months or the open-source component quietly sitting in production, for example.<\/p>\n

Ferguson said enterprises not only have a software asset inventory but knowledge about every device, its role, and its criticality to mission or operations.<\/p>\n

\u201cIf you are responsible for a hospital environment for example, you absolutely need to know which fridge stores the sandwiches and which one stores the blood or meds,\u201d Ferguson explained. \u201cThat\u2019s the level of precision security teams need to move from awareness to action.\u201d<\/p>\n

Countermeasures<\/h2>\n

Hack The Box\u2019s Pylarinos agreed that detailed oversight of the hardware and software running within an organisation is essential before applying robust patch management processes, which remain a dull headache that won\u2019t go away<\/a>.<\/p>\n

Following best practices for network security design is also important because a foundationally secure architecture can reduce risk related to both known and unknown vulnerabilities. These best practices include measures such as strong network segmentation, least privilege access, and multi-factor authentication.<\/p>\n

Pylarinos added: \u201cThere are several proactive steps that security teams can also take to mitigate vulnerabilities. If this news shows us anything, it\u2019s the insecurity of relying solely on CVE data moving forward. CISA\u2019s KEV [Known Exploited Vulnerabilities]<\/strong>, vendor advisories, and private threat feeds, for example, can all be used to provide further context and a wider view of the vulnerability landscape.\u201d<\/p>\n

Pairing solid security fundamentals with active, real-time intelligence is enterprise security\u2019s best bet.<\/p>\n

\u201cThe integration of live threat intelligence, threat-informed training, and investment in internal penetration testing and threat modelling provides security teams with a more comprehensive overview of current threat levels and better identification of vulnerabilities,\u201d Pylarinos concluded.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A recent funding crisis involving the Common Vulnerabilities and Exposures (CVE) program sent a wave of panic through the cybersecurity community, raising questions among security professionals about how the potential dissolution of the program would impact their approaches to security triage. The CVE program, which provides a publicly available archive of disclosed vulnerabilities, is highly […]<\/p>\n","protected":false},"author":0,"featured_media":3104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3103"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3103"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3103\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3104"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}