When Patching Security Flaws, Smarter Trumps Faster

Organizations that use the Common Vulnerability Scoring System (CVSS) to prioritize the patching of software security vulnerabilities reduce their potential exploitability compared with randomly fixing issues, but not by much. A new study shows it's better to focus on whether exploits have been created for the software flaws.

The analysis — carried out by vulnerability management firm Kenna Security and data-science group Cyentia Institute — investigated whether a variety of factors can help determine the best strategy for remediating vulnerabilities, using information from vulnerability reports, the impact those vulnerabilities have on actual companies, and whether exploit code has been released for the issues. 

In addition to analyzing the data, the companies performed simulations to determine the impact of different strategies for prioritizing vulnerability remediation.

While triaging issues by CVSS reduces exploitability by two- to six-times more than a random strategy — depending on how quickly a company can remediate flaws — prioritizing by the existence of exploit code reduces exploitability by a factor of 22 to 29, the analysis found.

"If you could do nothing else ... start with exploit code," says Ed Bellis, co-founder and chief technology officer of Kenna Security. "If you look at the vulnerabilities that you have that have exploit code available for them, that will immediately push your risk down just by remediating those."

Remediation strategies are important for companies, because with more than 20,000 vulnerabilities logged into the National Vulnerability Database in 2021, firms have little chance of quickly patching every issue. In fact, the average company only patches about 15% of the flaws in its environment every month, while three-quarters of firms patch less than 27% of the vulnerabilities in their systems, the companies state in their report, "Prioritization to Prediction: Measuring and Minimizing Exploitability."

Fixing flaws faster reduces the chance of exploitation, but companies with high "remediation capacities" are not necessarily fixing the right issues, according to the report.

"[M]inimizing exploitability isn’t just a matter of doing more or doing it faster," the report states. "[S]ome low-capacity firms manage to achieve low exploitability, some with high remediation capacity are still relatively exploitable, and others fall everywhere in between."

Twitter Mentions and Other "Metrics"

In 2021, the share of vulnerabilities existing in company environments accounted for approximately a fifth to a quarter of the total reported for the year, dropping significantly compared with the previous four years, according to data collected by Kenna and Cyentia. However, the proportion of vulnerabilities both existing in corporate environments and with known exploit code drops to 4% of the total.

By prioritizing these issues, companies can patch the software representing the greatest risk, Bellis says.

"If you think about all the CVEs [vulnerabilities] in the national vulnerability database, there is a lot of stuff that applies to software that companies and enterprises just don't run — it's consumer based, for example," he says. "Or it could be a class of vulnerabilities that companies are not scanning or are not looking for — an obscure IoT software vulnerability that they actually have but they are not looking for it."

The Common Vulnerability Scoring System is a way of rating the potential seriousness of a vulnerability. However, attackers are more often driven by strategies that minimize effort — using already existing exploit code, for example. So, prioritizing the vulnerabilities that have existing exploit code makes sense.

The analysis found that prioritizing the patching of issues by the CVSS only improves on a random strategy by a small amount — even applying the easiest-to-patch software first improves on a CVSS-based strategy.

"I think that the things that CVSS is getting after are interesting and good data points to collect, but the problem is that people ask for a score and when it is applied, they are using it wrong — as a risk," says Jay Jacobs, founder and chief data scientist at Cyentia Institute. "I don't want to see it go away, but we could drop the scoring altogether and just use other forms of prioritization."

In fact, using the number of Twitter mentions improves upon both the CVSS-based and easiest-to-patch-first strategies, according to the report. Focusing on the vulnerabilities that are most observed in a particular environment is the next best strategy. Yet, prioritizing by the existence of exploit code is a significant improvement on all four other strategies.

"[V]ulnerability management is not a mindless, endless loop of finding and fixing," according to the report. "Organizations have a great deal of control over their attack surface through the strategies and capabilities they employ."