Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Risk & Compliance
SBOM
Threat Landscape
Vulnerabilities

CISA works to transform vulnerability management, as number and complexity remain challenging 

November 11, 2022
CISA works to transform vulnerability management, as number and complexity remain challenging 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) addressed the need to transform the vulnerability management landscape. It identifies that in the current risk environment, organizations of all sizes are challenged to manage the number and complexity of new vulnerabilities. Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts, while smaller organizations struggle with understanding where to start and how to allocate limited resources. Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management.

After working with partners across the government and the private sector, CISA called upon every organization on Thursday to use a vulnerability management framework that considers a vulnerability’s exploitation status, such as SSVC. It laid down three critical steps to advance the vulnerability management ecosystem. These include introducing greater automation into vulnerability management, including by expanding the use of the Common Security Advisory Framework (CSAF), while also making it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX). 

Additionally, it sought to help organizations prioritize vulnerability management resources through the use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog. 

“When a new vulnerability is identified, software vendors jump into action: understanding impacts to products, identifying remediations, and communicating to end users,” Eric Goldstein, executive assistant director for cybersecurity, wrote in a blog post. “But as we know, the clock is ticking: adversaries are often turning vulnerabilities to exploits within hours of initial public reports. Software vendors work constantly to understand if their products are impacted by a new vulnerability. To meet this timeframe, our community needs a standardized approach for vendors to disclose security vulnerabilities to end users in an accelerated and automated way.”

The CSAF, developed by the OASIS CSAF Technical Committee, is a standard for machine-readable security advisories. CSAF provides a standardized format for ingesting vulnerability advisory information and simplifies triage and remediation processes for asset owners. By publishing security advisories using CSAF, vendors will dramatically reduce the time required for enterprises to understand organizational impact and drive timely remediation.

Goldstein wrote that VEX allows a vendor to assert whether specific vulnerabilities affect a product; a VEX advisory can also indicate that a product is not affected by a vulnerability. “Not all vulnerabilities are exploitable and put an organization at risk. To help reduce effort spent by users investigating vulnerabilities, vendors can issue a VEX advisory that states whether a product is or is not affected by a specific vulnerability in a machine-readable, automated way. VEX is implemented as a profile in CSAF and is one of its more popular use cases, aligning with the existing work supporting machine-readable advisories,” he added.

Pointing out that the goal of VEX is to support greater automation across the vulnerability ecosystem, including disclosure, vulnerability tracking, and remediation, Goldstein said that VEX data can also support more effective use of software bill of materials (SBOM) data. “An SBOM is a machine-readable, comprehensive inventory of software components and dependencies. Machine-readable VEX documents support linking to an SBOM and specific SBOM components,” he added. 

While SBOM gives an organization information on where they are potentially at risk, a VEX document helps an organization find out where they are actually affected by known vulnerabilities, and if actions need to be taken to remediate based on exploitation status, according to Goldstein.

Last year, CISA issued Binding Operational Directive (BOD) 22-01, which directs federal civilian agencies to remediate KEVs and encourages all organizations to implement the KEV catalog into their vulnerability management framework. The first publication of KEV vulnerabilities derived from CISA’s use of SSVC occurred last November.

In a guide released titled ‘CISA Stakeholder-Specific Vulnerability Categorization Guide,” CISA said that the CISA SSVC is a customized decision tree model that assists in prioritizing vulnerability response for the United States government (USG), state, local, tribal, and territorial (SLTT) governments; and critical infrastructure (CI) entities. 

The goal of SSVC is to assist in prioritizing the remediation of a vulnerability based on the impact exploitation would have on the particular organization(s). The four SSVC scoring decisions – Track, Track*, Attend, and Act – are used to outline how CISA messages out patching prioritization. Any individual or organization can use SSVC to enhance its own vulnerability management practices.  

The CISA identified that the Track scoring decision does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines. For the Track* scoring decision, CISA said that the vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines.

Moving to the Attend scoring decision, CISA said that this type of vulnerability requires attention from the organization’s internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines. 

The Act scoring decision requires attention from the organization’s internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and subsequently work on executing the agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible.

CISA further directed organizations that it can determine a vulnerability’s scope by understanding how the boundaries of the affected system are set. Understanding whether a vulnerability—with a presence across multiple related systems—is analyzed as one or multiple vulnerabilities will also help an organization determine the vulnerability’s scope. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity