CISA takes first step in prioritizing risk: what’s next?

Companies and government agencies are trying to keep up as the cyberthreat landscape becomes more dangerous and attackers evolve their methods. The next move looks like a good one for the Cybersecurity and Infrastructure Security Agency (CISA).

CISA injected fresh blood in July when Jen Easterly was sworn in as director. Her addition came on the heels of three new administration appointees in February for a new-look leadership team. Easterly has taken a novel approach, like enlisting white-hat hackers as advisors, and made another splash with a directive that requires federal agencies to remediate a list of nearly 300 vulnerabilities. Easterly called the directive “groundbreaking in that for the first time, this is really giving timelines to remediate those specific vulnerabilities that we know have been actively exploited by adversaries.”

After digging into the catalog of vulnerabilities, it’s clear that her approach, and likely the new direction for the agency as a whole, will focus on risk mitigation.

For instance, not all of the vulnerabilities are new. We would normally expect CISA to just go by the latest and highest Common Vulnerability Scoring System (CVSS) rating when determining what’s most important. But the list includes CVE-2017-9805, the 2017 Apache Struts 2 vulnerability that was responsible for the Equifax breach and has a CVSS score of 8.1. According to our data, it’s the most exploited vulnerability on the list. Clearly CISA dug deeper and developed a new playbook that looks at the most dangerous vulnerabilities, a proven risk-based vulnerability management strategy, rather than just the newest threats.

The list spans from exploits we know are widespread, like Apache Struts, to vulnerabilities that are rarely exploited because they require direct, physical access to an asset. Our data shows that CISA’s list is generally indicative of the vulnerabilities that pose the most risk to companies, even if the CVSS score doesn’t reflect that. Data shows that organizations that do have these vulnerabilities have done a good job at remediating them quickly.

Why risk-based vulnerability management makes sense

Much like CISA’s newfound approach, the organizations that remediate the most dangerous vulnerabilities quickest are looking through the lens of risk. A series of research reports from the Cyentia Institute says this is the most effective way to go because while roughly one-third of all published Common Vulnerabilities and Exposures (CVEs) are observed within organizations and 23% have an associated exploit, only 5% of all CVEs are both observed within organizations and known to be exploited.

Our data shows that not only does CISA’s list include vulnerabilities that pose more of a threat, but companies are remediating them faster than most other vulnerabilities. The CISA directive gives agencies 60 days to remediate these vulnerabilities from November 3, when the list was published. According to our data, based on the list CISA chose, companies should have the ability to remediate roughly 75% of the vulnerabilities in that time. The Cyentia research shows that, generally, Mean Time To Remediation (MTTR) for open vulnerabilities runs at 183 days.

While the overall list takes a great step in the right direction for CISA, not every vulnerability falls under that “important” category. Forty-six of the vulnerabilities in the catalog required local access. In other words, prioritization isn’t binary. We need to base the goal of prioritizing remediation based on risk and while exploitations “in the wild” are certainly a factor, it’s not the only factor.

What’s CISA’s next step?

It appears that CISA will continue to update this list (in fact they already have) and present new guidance on which vulnerabilities pose the greatest risk to agencies and companies. It’s a great step for CISA and the agency should follow that path going forward.

We have seen in the private sector that companies using risk-based vulnerability management are getting quicker and smarter at remediation. Security teams need all the help they can get because the number of CVEs has increased steadily since 2017 and the question isn’t whether 2021 will break the record again, but rather by how much.

CISA has a tall task to try and bridge the gap between government and private companies when it comes to a cybersecurity landscape that’s only growing more complex and increasingly dangerous. Using risk-based methodologies and taking a tougher stance against disinformation and misinformation is only the beginning.

To make further strides in cybersecurity, CISA should consider additional factors that lead to exploitability such as software and vulnerability prevalence. There were a few vulnerabilities in the list that stood out as odd when it comes to actual existence within agencies as we didn’t see them across any of the hundreds of enterprises we monitor. Additionally, agencies will need to prioritize based on the assets these vulnerabilities affect. Overall, it’s a good step forward focusing on exploitability. I hope this continues to evolve and we start to see a more proactive approach to vulnerability prioritization and remediation.

Ed Bellis,  founder and CTO, Kenna Security, now a part of Cisco