Twitter Mentions More Effective Than CVSS at Reducing Exploitability
Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.
Kenna Security’s latest report, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.
It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.
Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.
To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.
Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.
“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.
“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”
Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.
“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.