The Challenge of Sticking to CISA’s Vulnerability Framework

It's becoming increasingly challenging for organizations to keep their systems secure. Cyber threats from adversaries, ranging from cybercriminals to nation-state actors, are targeting organizations to steal data or demand ransom. One method these malicious actors are using more frequently is the exploitation of vulnerabilities, which tripled as an entry point in 2023, now accounts for 14% of all breaches. 

This rise in vulnerability exploitation comes at a time when patching has become more complicated than ever. With the prevalence of hybrid roles, IT teams manage more devices, including those purchased by employees, in locations around the globe. 

For guidance on navigating these dangers, the Cybersecurity and Infrastructure Security Agency (CISA) created a framework called the Stakeholder-Specific Vulnerability Categorization (SSVC). The SSVC aims to help organizations prioritize the remediation of vulnerabilities based on the impact of their exploitation on them. And although the framework was created for use by government organizations—who are frequently strapped for resources -- it serves as a good foundation for any entity that needs to prioritize their vulnerabilities. 

When organizations utilize the SSVC decision-making tree, they’ll have three possible outcomes to determine the next step for a certain vulnerability. These outcomes are: 

Related:What Do We Know About the New Ransomware Gang Termite?

The SSVC is a good framework because it clearly lays out all of the decisions leaders have to make to determine which vulnerabilities to prioritize. It asks questions such as the following: Is the vulnerability being actively exploited? Is that exploitation automatable or potentially automatable? What impact would the vulnerability have on your systems?  

Determining these answers will help organizations decide on what steps to take next. That’s easier said than done.  

With so many data points and research reports to read to begin to answer those questions, it’s not feasible to do it manually, and it could still be a challenge even with basic automation. Even then, results could be inconsistent. So, while SSVC works well as a framework, it doesn’t lay out how an organization can realistically prioritize their vulnerabilities. Here’s why. 

Silos, Lack of Personnel and Resources  

Related:Finding Your Shadow: Can Shadow IT Be Controlled?

The first hurdle that stands in the way of an organization following the SSVC framework is the common divisions between IT and security teams. While each team is dedicated to protecting the security of the organization, their priorities differ. Security typically handles seeking out threats and prioritizing them, while IT issues patches and ensures that normal operations aren’t disrupted. 

Being able to execute the SSVC framework efficiently would require a nimble team that can handle vulnerability management from the discovery stage up until the remediation stage. Unfortunately, this ideal often meets friction in the real world. Already spread thin IT and security teams often encounter communication challenges that make a streamlined process difficult. 

The next challenge is lack of personnel. While the number of cybersecurity professionals at large organizations has increased 15% from the previous year, cybersecurity personnel are still overworked. One study found that over 70% of cybersecurity professionals frequently work weekends to manage their organization's security concerns. 

Overall, a lack of resources often gets in the way of adopting a vulnerability remediation framework such as the SSVC. While leaders know that they should be doing things faster, the actual nature of prioritizing vulnerabilities often gets in the way. There are far too many vulnerabilities to research by hand within a short timeframe to have anything approaching the framework laid out by CISA.  

Related:Why SOC Roles Need to Evolve to Attract a New Generation

Automation, Shared Dashboards Help Prioritize 

As laid out above, following through on SSVC requires the right personnel working in lockstep as well as resources to bring it to reality. When time is of the essence, IT and security teams can’t risk being slowed down, wasting time going back and forth, to coordinate action.  

So, where to begin? There are a number of ways organizations can keep up with the SSVC framework, including integrating vulnerability management with patch automation. A solution that unites these typically siloed processes can help admins patch vulnerabilities more efficiently by giving administrators the ability to view vulnerability remediation progress in real time, report on their status via dashboards, and prioritize critical vulnerabilities automatically. 

Shared dashboards in particular enable organizations to continuously monitor vulnerabilities based on the rules they set and give all parties the same visibility to these insights. IT and security teams can receive notifications when critical patches will be deployed, so they can monitor success and control the automations if need be. The organization’s technical leads can provide approvals based on test deployments all within the same platform. And in case a patch interferes with an organization’s systems, they can roll it back. Speed and control are the name of the game. 

Final Thoughts 

Following CISA’s framework for prioritization may feel like an impossible task, but the right autonomous solutions make this a reality by empowering IT and security to track, attend, and act at the pace today’s threat environment requires.