From Vulnerable to Vigilant: Transforming Vulnerability Management Processes

The vulnerability management landscape has become overwhelming. With over 25,000 CVEs published in 2022 alone, security teams are drowning in a sea of severity scores that often don’t reflect real-world risk. It’s time to move beyond traditional CVSS-based approaches and focus on what actually matters.

The Vulnerability Explosion Problem

The numbers are staggering; Since 2000, we’ve seen over 200,000 published CVEs, with the annual count growing from around 1,000 in the early 2000s to over 25,000 in recent years. This exponential growth has created a critical challenge for security teams.

The real question isn’t “How many vulnerabilities exist?” but rather “Which ones actually pose a threat to my organisation?”

Why CVSS Scores Fall Short

CVSS Base Scores are designed to measure the technical severity of vulnerabilities, but they don’t account for:

  • Whether the vulnerability is actually exploitable in your environment
  • If there are active exploits in the wild
  • The likelihood of future exploitation
  • Your organisation’s specific risk profile

The result; Teams waste time patching high-severity vulnerabilities that pose little real risk while missing lower-severity vulnerabilities that are actively being exploited.

A Better Approach: KEV and EPSS

CISA’s Known Exploited Vulnerabilities (KEV) catalog identifies vulnerabilities that are actively being exploited in the wild. These represent clear and present danger to organisations.

The Exploit Prediction Scoring System (EPSS) uses machine learning to predict which vulnerabilities are likely to be exploited in the next 30 days, giving you a head start on remediation.

Combined, these tools help you focus on the vulnerabilities that actually matter:

YearTotal CVEsExploitableKEVEPSS > 0.90
202018,350251 (1.37%)131143
202120,158911 (4.52%)187145
202225,1011,023 (4.08%)11764
202318,9141,137 (6.01%)6920

Note: Some CVEs appear in multiple categories, so these numbers aren’t mutually exclusive.

Implementing a Risk-Based Triage Process

Step 1: Immediate Action Items

  • Prioritise all vulnerabilities on the KEV list
  • Assess their relevance to your environment
  • Schedule immediate remediation for applicable items

Step 2: High-Probability Threats

  • Review vulnerabilities with EPSS scores above 0.90
  • Evaluate their potential impact on your systems
  • Plan remediation within 30 days

Step 3: Theoretical Exploits

  • Assess remaining exploitable vulnerabilities
  • Consider your specific threat landscape
  • Schedule based on business risk and available resources

The CVE-2023-26083 Case Study

This vulnerability perfectly illustrates why traditional scoring fails:

  • CVSS Score: 3.3 (Low severity)
  • EPSS Score: 0.001 (less than 1% chance of exploitation)
  • Reality: Actively exploited by spyware vendors targeting Android devices

The lesson: Even “low” severity vulnerabilities can pose significant risk when they’re actively being exploited. This is why KEV and EPSS are more valuable than CVSS scores alone.

Building a Holistic Vulnerability Management Strategy

Asset Categorisation is crucial for effective prioritisation:

  • Identify your most critical systems
  • Understand your attack surface
  • Focus remediation efforts where they matter most

Clear Roles and Responsibilities ensure accountability:

  • Define who owns each system or application
  • Establish clear remediation timelines
  • Create escalation procedures for high-risk vulnerabilities

Diversified Intelligence Sources provide comprehensive coverage:

  • Don’t rely solely on one vulnerability database
  • Monitor CVE Numbering Authorities (CNAs) directly
  • Subscribe to threat intelligence feeds relevant to your industry

Effective Communication translates technical risks into business language:

  • Present vulnerabilities in terms of business impact
  • Align security initiatives with organisational objectives
  • Get buy-in from leadership for necessary remediation efforts

Australian-Specific Considerations

Essential Eight compliance requires a risk-based approach to vulnerability management:

  • Focus on vulnerabilities that could compromise Essential Eight controls
  • Prioritise patches that improve your overall security posture
  • Document your risk assessment process for audit purposes

Privacy Act requirements mean considering data exposure risks:

  • Prioritise vulnerabilities that could lead to data breaches
  • Consider the sensitivity of data stored on affected systems
  • Ensure your triage process supports breach notification requirements

Common Pitfalls to Avoid

Don’t ignore low-severity vulnerabilities that are actively being exploited – severity and exploitability are different things.

Don’t rely on a single source for vulnerability intelligence – diversify your information sources.

Don’t forget about your specific environment – a vulnerability that’s critical for one organisation might be irrelevant for another.

Don’t skip the business context – technical severity doesn’t always translate to business risk.

The Bottom Line

Effective vulnerability management isn’t about patching everything – it’s about patching the right things at the right time. By focusing on KEV and EPSS rather than CVSS scores alone, you can:

  • Reduce the noise in your vulnerability management process
  • Focus resources on threats that actually matter
  • Improve your overall security posture
  • Make better risk-based decisions

The goal isn’t to eliminate every vulnerability, but to ensure that the vulnerabilities that pose real risk to your organisation are addressed promptly and effectively.

Ready to transform your vulnerability management process? Start by integrating KEV and EPSS into your existing workflow, then gradually build out the supporting processes that make risk-based prioritisation effective.