Light Dark
September 17, 2024 By Doug Bonderud 4 min read
Risk Management

Updated Sept. 24, 2024

In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.

Three months later, the problem persists. While NIST has a plan to get back on track, current analysis of the current state of common vulnerabilities and exposures (CVEs) isn’t keeping pace with new vulnerability detections. Here’s a look at what’s behind the backlog, why CVEs may no longer be the Holy Grail of IT defense and how security teams can stay ahead of attacker efforts.

What’s behind the backlog?

Budget cuts are partially responsible for CVE analysis issues. As noted by Security Magazine, NIST funding was cut by 12% this year, making it more difficult for the agency to enrich CVEs. In practice, the NVD is effectively a downstream consumer of CVE data — while the number of CVEs found and reported remains steady, NIST’s ability to assess and enrich these vulnerabilities has been significantly reduced.

The sheer number of reported vulnerabilities also poses a problem for analysis efforts; Flashpoint research found that NIST reported 33,137 vulnerabilities in 2023. In part, rising numbers are tied to improved detection capabilities. As companies expand security efforts with cloud-based technologies and AI-enabled tools, they’re better able to pinpoint potential threats. As a result, bigger numbers aren’t always indicative of increased risk, but they do speak to a growing number of potential attack paths.

NIST does have a plan to clear the backlog. According to USASpending.gov, the government has awarded an $860,000 contract to Analygence for cybersecurity analysis and email support. Analysis efforts were slated to start June 3, and NIST hopes to be back on track by September 2024. While the contract is slated to end as of December 2024, the agency has an option to extend services into July 2025.

The changing face of cyber threats

Concerns around the NVD backlog are understandable. The longer it takes NIST to analyze CVEs and suggest effective countermeasures, the greater the risk for enterprises.

As noted by Cybersecurity Dive, however, the cybersecurity landscape is changing. During the virtual Gartner Security and Risk Management summit, principal analyst Mitchell Schneider noted that while the total number of vulnerabilities continues to increase, critical CVEs aren’t outpacing their high, medium and low counterparts.

What’s more, attackers aren’t using CVE severity as the criteria for compromise. “There’s no inherent correlation between the vulnerability and if threat actors are exploiting them in terms of those severity ratings,” says Schneider. Instead, attackers are prioritizing the most exploitable vulnerabilities, which are often those ranked as medium or low severity.

In practice, this creates a forest-for-the-trees scenario: If companies are too focused on critical CVEs, they can miss middle-of-the-road exploits that allow attackers to gain network access and then move laterally into more critical systems.

The result? While the common vulnerability database remains a critical part of effective security, it’s not a silver bullet. Cyber threat tactics are changing, and security teams must be prepared to change in response.

How security teams can stay ahead of attackers

So what does this change look like in action?

Four considerations can help companies build better defenses in a world of delayed NVD additions.

1) Prioritize visibility

With attack methods and patterns diversifying, businesses need to prioritize IT visibility. Consider a company using on-premises storage for critical data, public clouds for testing and development and private clouds for easily scalable application resources.

In the new threat landscape, attacks can come from any source at any time. If undetected, attackers can bide their time gathering data and pinpointing ideal attack pathways. As a result, complete visibility is critical. The more companies know about what’s happening across their environments, the better prepared they are to detect, identify and mitigate attacks.

2) Focus on exploitability

As Gartner makes clear, exploitability is now the top priority for attackers. While more severe vulnerabilities may be more valuable targets in the short-term, exploitable medium- or low-severity weaknesses can set attackers up for ongoing success.

For example, suppose malicious actors can exploit a medium-severity vulnerability at the edge of business networks. In that case, they may be able to create and maintain backdoors that provide permanent access to enterprise systems. From there, they can carry out reconnaissance and bide their time until security teams are focused on other vulnerabilities.

By targeting the most exploitable rather than the most severe vulnerabilities, security teams can reduce the chance of successful attacks.

3) Share the burden

Security is no longer the exclusive burden of IT teams. Operations, finance, marketing, sales and customer service teams all have a role to play in keeping companies safe. While the ultimate responsibility for security still lies with technology professionals, sharing the burden across teams can both improve detection rates and reduce the time between identification and action.

4) Leverage available resources

With the NVD backlogged, it’s important for security teams to find and leverage alternative resources. Potential security sources include:

  • CISA Vulnrichment: CISA has taken on some of NIST’s CVE burden with their “Vulnrichment” program. A list of known vulnerabilities can be found on GitHub, and companies can contact CISA at [email protected] with any questions.
  • The CVE Program: The CVE Program (formerly the Mitre CVE repository) identifies, defines and catalogs publicly disclosed cybersecurity vulnerabilities. There are currently more than 240,000 CVE records that security teams can download or search.

What’s next for NIST?

NIST hopes to eliminate the NVD backlog by September 2024, but there’s no guarantee that its efforts will succeed. As noted by The Record, Senator Mark Warner (D-VA) and Thom Tillies (R-NC) have proposed legislation that would restore funding to NIST and increase its focus on new risks, such as AI-enabled threats, but the bill is in its infancy.

In other words, while the agency and Federal lawmakers recognize the critical impact of CVE analysis and enrichment, enterprises can’t rely on the NVD to deliver up-to-date vulnerability data.

Instead, businesses are better served changing their approach to align with evolving attacker efforts. By implementing tools that help improve visibility and identify exploitability, companies can prioritize high-risk threats. By sharing the security burden across departments and expanding their use of available security resources, meanwhile, enterprises can more effectively respond to shifting attack priorities.

Correction: This article has been updated to clarify the differences between NVD and CVE. The CVE Program catalogs publicly disclosed vulnerabilities through CVE Records, whereas NVD is a downstream consumer of the CVE Program’s data.

 |  |  | 
Doug Bonderud
Writer

More from Risk Management
November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

November 12, 2024

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature