The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is offering guidance for advancing the vulnerability management ecosystem.
In a November 10th blog post, Eric Goldstein, CISA Executive Assistant Director for Cybersecurity, outlines a three-step approach that organizations of any size can take to continue to make progress in efforts to thwart adversaries. They are:
1. Achieving automation
Publish machine-readable security advisories based on the Common Security Advisory Framework (CSAF).
2. Clarifying impact
Use Vulnerability Exploitability eXchange (VEX) to communicate whether a product is affected by a vulnerability and enable prioritized vulnerability response.
3. Prioritized based on organizational attributes
Use vulnerability management frameworks, such as Stakeholder-Specific Vulnerability Categorization (SSVC), which utilize exploitation status and other vulnerability data to help prioritize remediation efforts.
See the full blog post for more details on each critical step.
"CISA encourages every organization to use a vulnerability management framework that considers a vulnerability's exploitation status, such as SSVC," Goldstein wrote.
To further assist, CISA released new website features related to using SSVC that organizations can access :
• An SSVC webpage introducing CISA's SSVC decision tree
• The CISA SSVC Guide instructing how to use the scoring decision tree
• The CISA SSVC Calculator for evaluating how to prioritize vulnerability responses in an organization's respective environment
"The SSVC is more guidance to focus decision making, whereas the CVE values will still play an important role into the process," said Andrew Barratt, Vice President at Coalfire. "The decision tree really helps with categorizing and then prioritizing action, and will allow for multiple vulnerability impacts on each other to be considered as part of an attack chain."
"The guidance gives an organizational framework that should help with priorities, particular during intense commercial periods such as the holidays when only a finite number of things can be done. This can help prioritize the most dangerous vulnerabilities when considering how they may be leveraged and serve as a tool to organize the information, such that it is easily revisited. I can imagine vendors in the vulnerability management space adopting this alongside the MITRE ATT&CK so that management tools can help."
