Smarter vulnerability management

Pierre Samson at Hackuity looks beyond the backlog

 

2024 has been a rollercoaster of a year for anyone responsible for managing security vulnerabilities. In February, funding cuts to NIST meant that it had to scale back support of the National Vulnerability Database (NVD), a resource commonly relied on as a single source of truth for new CVEs.

 

By April, the NVD was suffering from a serious backlog. Its team analysed only around 199 out of 3,370 that month, and the backlog continued to grow as new CVE reports flooded in.

 

Things are looking up as we reach the end of the year. In November, NIST announced it was making headway, having addressed all Known Exploited Vulnerabilities (KEVs) in the backlog and now taking on newly reported ones. While this means the agency will have missed its initial target of fully clearing the backlog of both exploited and unexploited vulnerabilities by the end of 2024, it puts things back on an even keel.

 

So, things are looking up for vulnerability managers in 2025, right? Well don’t uncork the champagne just yet. Prioritising vulnerabilities on a rapidly changing attack surface remains a significant challenge for organisations relying on outdated processes or tools.

 

To truly protect their systems, organisations must adopt context-driven vulnerability management strategies into next year and beyond. 

 

The importance of context 

For vulnerability management (VM) teams relying on the NVD database, the backlog is more than an administrative hurdle - it’s a roadblock to effective vulnerability management. 

 

Organisations are left to make decisions in a vacuum without timely and complete data. This can quickly result in teams wasting time chasing after issues that pose minimal risk to their operations. And while they devote valuable resources to these, they may miss high-priority vulnerabilities that could be exploited in a seriously damaging attack. 

 

Outdated processes exacerbate the problem, creating inefficiencies and leading to burnout among already stretched security professionals.

 

Keeping up with incoming threats means security teams must diversify intelligence sources and apply context-rich approaches to prioritise risks and stay ahead of attackers.

 

Risk based prioritisation

Not all vulnerabilities are created equally. While a vulnerability might seem critical on paper, its real-world impact depends on various factors including the systems it affects, how attackers could exploit it, and how it intersects with an organisation’s unique environment. 

 

Every CVE means something different to each company. This is why context is critical for effective vulnerability management.

 

For example, a high CVSS severity, with no exploit available on an air gaped asset, may pose a negligible risk compared to a mid-CVSS severity, with a new exploit made available on an externally exposed asset. Without understanding these nuances, organisations are in danger of wasting precious time chasing low-priority issues while leaving their most vulnerable assets exposed.

 

Risk-based prioritisation offers a way out of this quagmire. Instead of treating every CVE as an equal threat, this approach helps security teams focus on vulnerabilities that truly matter. 

 

This strategy integrates multiple data sources such as vendor alerts, internal threat intelligence, and CISA’s KEV list to paint a more comprehensive picture of the organisation’s risk landscape.

 

VOC and automation as game-changers

While a diverse source of vulnerability data is important, it’s only half the battle. Better intelligence is of limited use if the team can’t move quickly and efficiently enough to put into practice.

 

This is where the Vulnerability Operations Centre (VOC) comes in, an approach designed to centralise and streamline vulnerability management. Think of it as a new take on the tried and tested SOC set-up but with a laser focus on tackling vulnerabilities.

 

The VOC unites siloed teams like security, IT, and DevOps onto a single platform, ensuring they work in harmony instead of at cross-purposes. By breaking down communication barriers, the VOC helps align priorities, reduce duplicated efforts, and close critical security gaps. This means that organisations can respond faster and more effectively.

 

Automation further amplifies the VOC’s power. With a manual approach, key activities like triaging vulnerabilities or analysing risk factors are slow and labour-intensive, often unable to keep pace with today’s threat landscape. Automated tools step in to take over these routine tasks, cutting down on human error and freeing teams to focus on strategic decision-making. For instance, automated triaging can identify the most pressing vulnerabilities in seconds, giving teams a clear roadmap to action.

 

By combining a VOC’s structured approach with automation’s efficiency, security teams can transform overwhelming workloads into actionable insights, streamlining their efforts and reducing burnout. 

 

A smarter, self-reliant future

The number of incoming vulnerabilities is increasing exponentially. While around 18,000 new CVEs were recorded in 2020, the NVD has already received more than 39,000 this year at the time of writing. 

 

It’s time to move past outdated vulnerability management. With better vulnerability information informing risk-based prioritisation and a more streamlined and automated approach to delivering updates, organisations can keep ahead of the constant influx of new vulnerabilities in 2025 and beyond. 

 

---

 

Pierre Samson is CRO at Hackuity

 

Main image courtesy of iStockPhoto.com and Olemedia