Turn Down the CVSS Noise: Use AI and Runtime Context to Silence Vulnerability Alarms
Let’s be honest, it’s time to rethink and reframe the approach to vulnerability management.
For over a decade as a linguist and intelligence analyst, first in the US Air Force and then at Booz Allen Hamilton, I dissected adversarial tactics and techniques. I’ve tracked nation-state threat actors and helped organizations build and maintain security programs that work in the modern cloud native era. In the last three years at Sysdig, I’ve moved from hands-on analysis with the Sysdig Threat Research Team to amplifying security trends for the broader community. I’ve seen incredible accomplishments when teams quickly adapt and align. Vulnerability management is overdue for that kind of transformation.
For more than 20 years, vulnerability management has been an integral yet frustrating component of security programs. Despite this organizational focus and the time, money, and headcount invested in it, the reality is that most vulnerability management programs have not kept pace with adversarial tactics and evolving technology. Our security teams have been consistently overwhelmed by unremediated vulnerabilities. The same themes echo across every organization: Too much noise, not enough signal. If everything is critical, then nothing is critical. There’s a reason we’re still frustrated by vulnerability management decades later, and still remain exposed.
While the mechanics of vulnerability management are largely the same — asset discovery, scanning and analysis, scoring and prioritization, and remediation — the scope of vulnerability management programs has grown considerably. Over the past two decades, we’ve seen a major lift and shift from on-premises infrastructure to multicloud services using microservices and serverless functions. The modern operational complexity accentuates the ongoing challenges with prioritization and remediation that we never quite solved on-prem.
The Failures of Traditional Vulnerability Management
Some current approaches to vulnerability management still remain too reliant on ill-suited and ineffective practices from the past. Far too many vulnerabilities categorized as “critical” and “high” don’t warrant the attention we assume they do. We’ve all seen the scan results showing serious risks that were first discovered in our operating environment years back and never fixed. They obviously were not as “critical” as their CVSS score initially indicated years prior. And it’s not that those scores are inherently wrong, they just simply lacked operational context.
The actual likelihood and impact of vulnerabilities were obfuscated in non-contextualized CVSS base scores. Even added refinements to CVSS base scores, including the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog, left us looking at a veritable haystack. Organizations with vulnerabilities numbering in the tens of thousands are not red flags. In fact, it’s business as usual.
The teams charged with prioritizing and remediating vulnerabilities have frequently lacked organizational context. The basic governance model for vulnerability management was challenged with security teams conducting point-in-time scans and throwing poorly contextualized results over the fence to overwhelmed infrastructure and operations (I&O) and development teams. This set everyone up for failure.
Consequently, the number of vulnerabilities increased over time, and the real, pertinent risks to our organizations were overlooked. These numbers make traditional approaches to “burn down,” a euphemism for risk reduction, futile. This led to finger-pointing amongst senior leaders and stakeholders, notably CIOs, CTOs, and CISOs, when something went awry. With regulatory mandates and audit findings, the tension has continued to mount.
Here’s the truth: The status quo serves no one other than the threat actors looking to exploit our organizations.
How To Rebuild Your Vulnerability Management Program
We need to rethink how we implement and govern vulnerability management in our organizations. Vulnerability management requires more than just a tool that scans assets for misconfigurations, unpatched software, and exposures.
Vulnerability management is meant to be a strategic program that should have its own defined operating model. The model should incorporate key variables, including:
- The right mix of resources, like personnel, tools, and automation.
- Clearly defined roles and responsibilities for all resources.
- The program’s core functions and workflows.
- The program’s desired technical and administrative controls.
Security leaders owe their teams a new game plan that makes organizations more resilient and secure. By establishing clear guidance and expectations, teams can move faster and avoid crisis mode later, and stakeholders can determine the metrics and data points needed to validate the program’s status and efficacy.
Drafting a target operating model for vulnerability management is foundational, but we still owe our teams better prioritization. This starts with rejecting the idea that all CVEs deserve equal treatment. We need better filters.
Leveraging Modern Tools for Effective Risk Reduction
There is hope, however, in achieving higher fidelity vulnerability prioritization. While we may find vulnerabilities from static scanning and other types of analysis, not all CVEs present material risk, and we need to help our teams identify, prioritize, and remediate those vulnerabilities that do. One of the most impactful ways to do so is by focusing on runtime context: those vulnerabilities that are actually running in production.
Some modern security tools are taking prioritization and analysis of vulnerability data to the next level. With the use of natural language queries, for instance, an analyst can receive operational context and AI-assisted remediation of discovered vulnerabilities and misconfigurations that place their organization at risk. Instantly accessible and real-time context for vulnerabilities is a force multiplier for security teams. Complementing AI-derived insights with actionable threat intelligence helps security analysts and their colleagues in I&O and development to focus on what’s truly important and helps them get ahead.
We’re now seeing the light at the end of the vulnerability management tunnel. We can move beyond point-in-time scans that were historically isolated from development environments to tightly integrated analysis that becomes part of the integrated development environment (IDE) and the continuous development/continuous delivery (CI/CD) pipeline, offering continuous insights and process-aligned remediation. From development to production, the engineering capabilities behind modern vulnerability management tools are built for the cloud native reality.
With options including both agentless and lightweight agents, our teams now have access to the telemetry required to address those prioritized vulnerabilities and misconfigurations that warrant immediate attention, regardless of where they exist. The value of well-engineered vulnerability management programs lies in their ability to be customized as circumstances warrant. In the case of vulnerability management, flexibility and effectiveness go hand-in-hand.
Security leaders are reliant on their teams and the tools they use to provide the assurance and resiliency our organizations demand. They shouldn’t have to choose between speed and safety. Vulnerability management has been reimagined to empower teams to make better, risk-informed decisions. The modern approach combines AI, threat intelligence, and vulnerability data to offer flexible and context-aware recommendations, ensuring that our vulnerability management is done the right way.
It’s time to burn down the old ways in vulnerability management. No more noise. No more guesswork. Just real risk reduction.
