Photo by NoWah Bartscher on Unsplash

How the NVD backlog highlights the need for context in vulnerability management

"A Vulnerability Operations Centre (VOC) approach can work wonders here..."

The greatest challenge in vulnerability management has always been cutting through the noise. With thousands of new vulnerabilities being reported monthly, most security teams struggle to focus on the few that genuinely matter to their organisation, writes Sylvain Cortes, VP Strategy at Hackuity.

For many years, the National Vulnerability Database (NVD) run by NIST has been an invaluable guiding light for directing vulnerability management efforts. But with NIST scaling back its involvement earlier this year and a growing backlog of vulnerabilities waiting to be analysed, some security teams are starting to feel adrift.

The good news is that CISA has taken up the challenge with its ‘Vulnrichment’ programme aiming to work through the backlog. So how can security teams best use this enriched data, and how can they manage in the meantime? 

What’s happening with the NVD database? 

The NVD has often been seen as the de facto resource for vulnerability data in part because of its sweeping scale - more than 250,000 different CVEs have been submitted to the database over the years. 

But it's true value is the process of enriching reported vulnerabilities. Each enriched CVE entry packs extremely useful data points, including a summary of how it can be exploited by threat actors, software configurations known to be affected, and links to relevant patching and support. All of this is rounded off by risk scoring.

Unfortunately, this comfortable status quo changed for the worst when agency cutbacks meant that the NVD started slowing down its efforts in processing and enriching vulnerabilities. With thousands of new vulnerabilities submitted every month, it didn’t take long for a sizable backlog of unassessed reports to start building up. 

At time of writing, 17,227 CVEs have been submitted this year, but just 4,635 have had enriched reports published. That’s shouting ‘fire’ but not clarifying whether the smoke’s coming from your neighbour’s house or your own bedroom.

How the backlog is impacting security 

This is a serious issue for those security teams relying on the NVD as their main source of truth for their management programmes. The greater the backlog, the more likely that security teams will miss critical vulnerabilities that should be at the top of their to-do lists, thus exposing the business to elevated cyber risk.

The good news is that CISA’s Vulnrichment programme, announced in early May, is working on picking up the slack. The project is coordinated on GitHub to provide easily accessible, enriched threat data. 

Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities are being methodically added to CVEs, with over a thousand processed already. 

Still, with over 10,000 CVEs to be processed and more piling in every month, it will take the CISA initiative some time to clear the backlog. The ocean’s rushing in, and CISA’s doing its best with a pail. In the meantime, organisations that previously relied on the NVD should look to broaden their vulnerability horizons and incorporate other sources. 

This includes other databases like CISA’s Known Exploited Vulnerability (KEV) catalogue, vulnerability reports in the news, updates from vendors, and internal threat detection data. Manually managing multiple disparate sources can make it difficult to prioritise activity, however, so teams should ideally look at tools that can automatically aggregate and analyse vulnerability sources.

Making sense of CVEs

The decline of the NVD and CISA’s subsequent efforts to fill the gap highlight just how important context is for effective vulnerability management. Risk scores don’t provide the whole picture without the context around the data. 

So, while having a reliable database of vulnerability information is extremely valuable, it still needs to be put into context by individual organisations. A vulnerability that could be catastrophic for one company might barely matter for another. 

Let’s say there’s a new CVE for a piece of cloud-based analytics software that could allow unauthorised access. Company A uses this software as a core part of its operations and has huge volumes of data relating to its client base there. Company B though barely uses the software and only has a few pieces of non-sensitive data connected to it. Our hypothetical CVE should be at the very top of Company A’s to-do list (underlined several times, in red), but the team over at Company B can more safely focus on other issues first. 

Without this kind of context, security teams can’t be confident they are zoning in on the highly critical vulnerabilities that matter to their company, and not simply wasting time carrying out unnecessary remediation on issues that won’t affect business operations. 

Keeping up with the pace of new vulnerabilities 

Even armed with a reliable source of vulnerability data and the knowledge to put it into a business context, it can be difficult to manage the rapid rate at which new CVEs are continually popping up. Security teams need a strategic approach if they are to keep pace.

A Vulnerability Operations Centre (VOC) approach can work wonders here. As the name suggests, this strategy mirrors the well-established Security Operations Centre (SOC) model. But while a SOC handles a broad spectrum of security activities, the VOC zeroes in on preventing vulnerabilities before they can be exploited. 

The VOC acts as a central hub for continuous monitoring and coordinated responses, using a risk-based vulnerability management (RBVM) approach to prioritise threats. This enables teams to better keep on top of the shifting vulnerability priorities and always focus their efforts on the biggest threats. 

The NVD backlog underscores the critical need for context in vulnerability management. By combining external sources like the new Vulnrichment programme with efficient internal practices like the VOC, security teams can stay ahead of vulnerabilities and safeguard their operations more effectively. Every day that status quo security persists, we fall exponentially behind.

See also: NIST pledges fix NVD backlog by September – insists it’s right agency to run vulnerability database