(Internet) risk = probability of occurrence x damage

Here’s how to use CVSS to enhance network resiliency

At the end of 2023, Common Vulnerability Scoring System (CVSS) v4.0 was released, replacing the eight-year-old CVSS v3.0, aiming to strengthen vulnerability assessment by the industry and the public. This latest version introduces additional metrics such as security and automation to address criticism of a lack of granularity, while proposing a revised scoring system for a more comprehensive assessment. It further emphasizes the importance of considering environmental and threat indicators as well as base scores to accurately assess vulnerabilities.

Why does this matter?

The main purpose of CVSS is to assess the risks associated with vulnerabilities. Some vulnerabilities, particularly those found in networking products, pose clear and significant risks because they can be easily exploited by an unauthenticated attacker to remotely control an affected system. These vulnerabilities have been exploited frequently over the years and often serve as entry points for ransomware attacks.

Vulnerability assessment systems employ predefined factors to objectively quantify the likelihood and potential impact of a vulnerability. In these systems, CVSS has become an internationally recognized standard for characterizing critical vulnerabilities and determining severity levels.

CVSS evaluates vulnerabilities based on various criteria, exploit indicators, and predefined options for each indicator. These metrics help calculate a severity score ranging from 0.0 to 10.0, where 10.0 represents the highest severity level. These numerical scores are then mapped to qualitative categories such as “None,” “Low,” “Medium,” “High,” and “Critical,” reflecting terminology commonly used in vulnerability reports.

The indicators used to determine severity are divided into three groups:

1. Basic indicators
2. time indicator
3. Environmental indicators

Each group provides specific insights into different aspects of the vulnerability, helping to fully assess its severity and potential impact.

By exploiting Common Vulnerabilities and Exposures (CVE) identifiers:

• Companies can effectively track known vulnerabilities in their systems, allowing them to allocate resources for patching and remediation based on the level of risk each vulnerability poses.
• They ensure limited resources are used efficiently to address critical safety issues.
• Standardization through CVSS and CVE Enhance interoperability between security tools and systemsby correlating network events with known vulnerabilities, potential threats can be more accurately detected and responded to.
• CVSS and CVE facilitate the integration of threat intelligence sources with security tools, allowing threats to be identified and prioritized based on their association with known CVEs.
• It’s okay to know CVSS scores and CVE identifiers Faster and more effective incident response, Provide security teams with actionable information for rapid mitigation using tools that automatically correlate network incidents with relevant CVEs.
• Understanding CVSS and CVE can help companies conduct meetings Supervision compliance requirementsenabling them to identify, prioritize and resolve vulnerabilities according to regulatory frameworks.

CVSS helps assess the severity of vulnerabilities, allowing companies to effectively prioritize patching and mitigation efforts, focusing resources on addressing critical vulnerabilities first.

Where is it used?

Security tools such as EDR benefit from regularly incorporating information from reputable CVE repositories. These repositories provide detailed information about known vulnerabilities, including their unique CVE identifiers and corresponding CVSS scores.

1. By aligning CVEs with signatures, EDR develops rules or signatures based on CVE details, with each signature corresponding to the specific vulnerability identified by its CVE.
2. Once it detects activity that matches the signature, the EDR triggers an alert.
3. EDR can then block or quarantine the endpoint in response to CVE-related alerts.
4. Security teams often utilize multiple CVE repositories to monitor vulnerabilities and update their security libraries to protect customers from potential threats.

The result: When a new CVE emerges, the EDR solution is immediately updated with its signature, enabling you to preemptively block zero-day attacks at the network perimeter, often before vendor patches are deployed on vulnerable systems.

While EDRs and firewalls effectively block attempts to exploit known CVEs, they often face challenges in designing common rules and conducting behavioral analysis to identify exploits from emerging or unfamiliar threat vectors.

Network Detection and Response (NDR) takes a holistic approach to network security that goes beyond typical EDR offerings. NDR combines the power of scoring (such as CVSS) and machine learning. EDR relies primarily on signature-based detection, while NDR enhances this with behavior-based anomaly detection.

This enables it to identify threats from known CVEs as well as novel and emerging attack vectors. By analyzing deviations and anomalies, NDR can detect suspicious behavior patterns even before specific signatures are available. It not only relies on historical data but also adapts to changing threats.

More than just known vulnerabilities

EDR excels at blocking known vulnerabilities, while NDR extends its capabilities to zero-day attacks and unknown threat vectors. It does not wait for CVE updates but proactively identifies anomalous activity. It observes network traffic, user behavior and system interactions. It raises an alert if an activity deviates from the norm, regardless of whether it is associated with a specific CVE. NDR continuously learns from online behavior. It adapts to changes, making it effective against novel attack techniques.

NDR can raise alerts based on anomalous behavior even if the attack vector has never been seen before. Last but not least, NDR is not limited to endpoints. It monitors network-wide activity and provides broader context. NDR capabilities enable it to correlate events across the entire infrastructure.

When combined with EDR, NDR enables rapid response to threats. It not only relies on endpoint-based rules but also takes into account network-wide patterns.

Make it countable!

Risk-based alerting (RBA) takes a dynamic threat detection and response approach and is the cornerstone of cybersecurity effectiveness. By prioritizing alerts based on pre-set risk levels, RBA simplifies the job and allows security teams to focus on what matters most, reducing alert volume and optimizing resource allocation. CVSS is a key element of effective risk management, providing a standardized framework for assessing vulnerabilities based on their severity. High-scoring vulnerabilities indicate high exploitability or impact and require immediate attention and strong protective measures.

CVSS merges with a risk-based approach to enable organizations to identify and address vulnerabilities and proactively strengthen cyber defenses. Understanding CVSS and CVE can enhance risk assessment, help with resource allocation, and prioritize patching and remediation efforts.

NDR integrates risk assessment into its core functionality so you can prioritize alerts based on severity and potential impact. You can customize alert thresholds to match their risk tolerance, ensuring relevant alerts and optimizing resource allocation while reducing noise.

The effectiveness of RBA is amplified when combined with NDR solutions. NDR leverages continuous monitoring and machine learning algorithms to provide real-time insights into network activity and respond quickly to potential threats by assessing the risks associated with detected events.

NDR, ML, RBA and CVS combine to enhance security measures and risk management in the field of cybersecurity:

• NDR’s machine learning algorithms enable early threat detection and promote proactive security measures by analyzing behavior-based anomalies.
• Machine learning-driven insights continuously monitor network traffic and user behavior to enhance risk assessment and quickly respond to potential risks.
• Therefore, by integrating CVSS and ML, NDR provides the confidence to navigate complex cybersecurity environments and improve resource efficiency through simplified alerts based on predefined risk levels.

Leveraging CVSS scoring, NDR provides granular risk assessment and prioritizes alerts based on vulnerability severity, ensuring rapid response to high-severity CVE-related alerts. Organizations can customize alert thresholds based on CVSS scores to focus on vulnerabilities above a specific threshold. Integrating CVSS scores and CVE identifiers puts alerts into context, guides informed decision-making during incident response, and prioritizes remediation efforts based on severity.

For more guidance on integrating CVSS, download our CVSS Handbook here!

recover

Understanding CVSS and CVE is critical for companies and security teams. Companies can benefit by effectively allocating resources to prioritize patching and remediation based on CVE identifiers. Standardization through CVSS and CVE enhances interoperability between security tools and facilitates accurate threat detection and response.

NDR integrates CVSS and ML and goes beyond EDR through behavior-based anomaly detection to identify threats beyond known CVEs. NDR’s adaptability to changing threats and its network-wide monitoring capabilities make it effective against zero-day attacks and unknown threat vectors. Download our CVSS brochure to learn more!