Read more: Boosty

System) and SSVC (Stakeholder-Specific Vulnerability

Categorization)
• Practical Guidance: The document offers practical
guidance on how to implement these methods and tools,
making it easier for organizations to adopt these
practices
B. Drawbacks
• Resource Intensive: Implementing the methods and
tools suggested in the document can be resource-
intensive, requiring significant time, effort, and
expertise
• Complexity: The document's approach is complex and
may be challenging for smaller organizations or those
with less mature security teams to implement
C. Limitations
• Dependent on Accurate Data: The effectiveness of the
methods and tools suggested in the document is
dependent on the availability and accuracy of data. For
instance, asset value prioritization requires an accurate
and agreed-upon business impact value per company
asset
• Dynamic Threat Landscape: The document's
approach may not account for the dynamic nature of the
I. INTRODUCTION threat landscape. New vulnerabilities and threats
The document titled "Health-ISAC: Risk-Based Approach to emerge constantly, which may require adjustments to
Vulnerability Prioritization" discusses the importance of the prioritization framework
prioritizing vulnerabilities in cybersecurity management. With • Human Element: While the document suggests
over 15,000 vulnerabilities identified in 2023 and 25,227 in methods to eliminate the human element from
prioritization, human judgment is still crucial in many
2022, organizations are overwhelmed by the volume of findings
aspects of vulnerability management. For instance,
and the challenging task of triaging vulnerabilities to determine determining the effectiveness of compensating controls
which to address first. or interpreting the results of tools like EPSS and SSVC
The paper emphasizes the need for maturing vulnerability requires human expertise
management processes and a shift away from traditional severity • Reliance on CVSS Scoring: The document discusses
ratings. It suggests that organizations should implement the use of Common Vulnerability Scoring System
sustainable frameworks and standards for prioritization in (CVSS) as a baseline for vulnerability management.
vulnerability management. While CVSS is a widely accepted standard, it has been
criticized for not accurately reflecting the real-world
This document is set to be meticulously analyzed, with a risk of vulnerabilities. The document acknowledges
focus on the multifaceted aspects of vulnerability management this and suggests using additional tools like the Exploit
within the healthcare sector. The analysis will delve into the Prediction Scoring System (EPSS) and Stakeholder-
strategies and frameworks recommended for effectively Specific Vulnerability Categorization (SSVC), but the
reliance on CVSS could still be seen as a limitation
prioritizing vulnerabilities.
• Lack of Practical Examples: While the document
The document provides a comprehensive and practical provides a comprehensive theoretical framework for
guide to vulnerability prioritization. While it has some vulnerability prioritization, it could benefit from more
drawbacks and limitations, it can be a valuable resource for practical examples or case studies to illustrate how
organizations looking to improve their vulnerability these concepts can be applied in real-world scenarios
management processes.
II. KEY CONCEPTS
A. Benefits
Risk-based approach covers several key concepts:
• Risk-Based Approach: a risk-based approach to • Using Base CVSS Scoring: The Common
vulnerability management can help organizations focus Vulnerability Scoring System (CVSS) is a standard
on the most critical vulnerabilities that pose the greatest used to rate the severity and exploitability of
threat vulnerabilities. However, only 2-7% of all published
• Comprehensive Framework: a comprehensive vulnerabilities are ever exploited in the wild, often due
framework includes various methods such as Base to a lack of prioritization
CVSS Scoring, focusing on known exploited • Focusing on Known Exploited Vulnerabilities: The
vulnerabilities, considering device context or paper suggests a more risk-based approach, focusing
placement, asset value, compensating controls, and on known exploited vulnerabilities. The Cybersecurity
using tools like EPSS (Exploit Prediction Scoring and Infrastructure Security Agency (CISA) has
 Read more: Boosty
released a list of Known Exploit Vulnerabilities The Common Vulnerability Scoring System (CVSS) is a
(KEV) to help organizations prioritize their framework used to rate the severity of security vulnerabilities.
remediation efforts It uses three groups of metrics to calculate scores: Base,
• Device Context or Placement: The network location Temporal, and Environmental
of a device is a critical factor in vulnerability • Base Metrics: These metrics produce a score ranging
prioritization. Internet-facing vulnerabilities and from 0 to 10, which reflects the inherent characteristics
misconfigurations should always be a priority, while of a vulnerability that are constant over time and across
internally-facing assets should fall under an internal user environments. They are divided into two groups:
service level agreement (SLA) remediation timeline Exploitability Metrics (such as Attack Vector, Attack
• Asset Value: The value of an asset is another Complexity, Privileges Required, and User Interaction)
important factor in vulnerability prioritization. and Impact Metrics (which measure the impact on
Analysts must know the asset's value as they leverage Confidentiality, Integrity, and Availability)
device context and placement • Temporal Metrics: These metrics reflect the
• Compensating Controls: Most organizations have characteristics of a vulnerability that may change over
layered security controls or defense-in-depth strategies time but not among user environments. They include
to mitigate attacks. These security controls should Exploit Code Maturity, Remediation Level, and Report
make it more difficult to exploit vulnerabilities Confidence. Temporal metrics are optional and used to
• EPSS – Exploit Prediction Scoring System: EPSS is produce a temporal score, which is a modification of the
a machine-learning model that predicts the likelihood Base score
or probability that a vulnerability will be exploited in • Environmental Metrics: These metrics enable the user
the wild. It helps defenders prioritize vulnerability to customize the CVSS score depending on the
remediation efforts more effectively importance of the affected software, hardware, or data
• SSVC – Stakeholder-Specific Vulnerability in their environment. They include Collateral Damage
Categorization: SSVC focuses on values, including Potential, Target Distribution, Confidentiality
the security flaw's exploitation status, its impact on Requirement, Integrity Requirement, and Availability
safety, and the prevalence of the affected products. It Requirement. Like Temporal metrics, Environmental
improves vulnerability management processes and metrics are optional and used to produce an
accounts for diverse stakeholders environmental score, which is a further modification of
the Temporal score
III. USING BASE CVSS SCORING
The CVSS Base score differs from the Temporal and
It discusses the use of the Common Vulnerability Scoring Environmental scores in that it only considers the inherent,
System (CVSS) as a baseline for vulnerability management, unchanging characteristics of the vulnerability. In contrast, the
particularly for organizations with smaller security teams or Temporal score takes into account factors that change over
those in the early stages of developing a vulnerability time, such as whether an exploit has been developed or a patch
management program is available. The Environmental score allows for customization
• Base CVSS Scoring as a Starting Point: For based on the importance of the affected assets in a specific
organizations with limited resources or those just user's environment. Therefore, while the Base score is the same
starting their vulnerability management program, using for all users, the Temporal and Environmental scores can vary
the base CVSS scoring to prioritize and remediate all
depending on the time and the specific user environment.
critical and high severity vulnerabilities can be a good
starting point. This approach eliminates the need for The Base, Temporal, and Environmental metrics impact
human judgment in prioritizing vulnerabilities, which each other in the sense that the Temporal Score is a
can be beneficial for smaller teams or those with modification of the Base Score, and the Environmental Score is
multiple responsibilities a modification of the Temporal Score. This means that changes
• Limitations of Base CVSS Scoring: While using base in the Base metrics will affect the Temporal and Environmental
CVSS scoring can be a good starting point, it has its scores, and changes in the Temporal metrics will affect the
limitations. For instance, remediation teams may be Environmental score. However, changes in the Environmental
overwhelmed by the sheer number of vulnerabilities metrics do not affect the other scores, as it is specific to the
they are asked to focus on. Additionally, threat actors user's environment.
may not always exploit the highest severity
vulnerabilities and instead chain together multiple The Common Vulnerability Scoring System (CVSS) base
exploits of less severe vulnerabilities to gain access to score typically does not change over time. It is a static score that
systems represents the severity of a vulnerability based on the
• Need for a More Risk-Based Approach: Given the characteristics of the vulnerability itself, such as its impact and
limitations of using base CVSS scoring alone suggests exploitability. However, the interpretation and application of
a more risk-based approach that focuses on known the CVSS score can change over time based on various factors.
exploited vulnerabilities. This approach significantly For instance, the CVSS score might be used differently in
reduces the number of vulnerabilities that need the context of an organization's vulnerability management
immediate attention and ensures practitioners focus on process. An organization might prioritize vulnerabilities not
vulnerabilities that pose the greatest threat to just based on their CVSS scores, but also on factors such as
organizations
whether the vulnerability is being actively exploited, the value
of the assets that could be affected, the presence of
 Read more: Boosty
compensating controls, and the context of the device where the limited resources. Focusing on known exploited
vulnerability exists. vulnerabilities allows organizations to prioritize their
Moreover, tools like the Exploit Prediction Scoring System efforts and resources on the vulnerabilities that pose the
(EPSS) and the Stakeholder-Specific Vulnerability most significant threat
Categorization (SSVC) can be used to supplement the CVSS • Risk Reduction: Known exploited vulnerabilities are
those that have been used by attackers in the wild. By
score. EPSS uses a machine-learning model to predict the prioritizing these vulnerabilities, organizations can
likelihood that a vulnerability will be exploited in the wild, significantly reduce their risk exposure. For instance, a
providing a dynamic perspective on the risk posed by the study found that less than 4% of all known
vulnerability. SSVC, on the other hand, focuses on values vulnerabilities have been used by attackers in the wild
including the security flaw's exploitation status, its impact on • Effective Mitigation and Remediation Strategies:
safety, and the prevalence of the affected products, allowing for Prioritizing known exploited vulnerabilities supports
a more customized and dynamic approach to vulnerability the development of effective mitigation and
management. remediation strategies. It helps security teams
communicate effectively with stakeholders, identify
IV. FOCUSING ON KNOWN EXPLOITED VULNERABILITIES asset value, and develop remediation policies
conducive to the continuity of business-critical systems
It emphasizes the importance of prioritizing known • Regulatory Compliance: Regulatory bodies like the
exploited vulnerabilities in cybersecurity risk management. Cybersecurity and Infrastructure Security Agency
• Known Exploited Vulnerabilities: The report (CISA) have directives focusing on reducing the risk of
suggests a risk-based approach that focuses on known known exploited vulnerabilities. Compliance with these
exploited vulnerabilities. It cites the Binding directives is another reason to prioritize known
Operational Directive 22-01 released by CISA, which exploited vulnerabilities
aims to reduce the risk of known exploited • Threat-Based Prioritization: Focusing on known
vulnerabilities. The directive emphasizes that less than exploited vulnerabilities allows for a more threat-based
4% of all known vulnerabilities have been used by approach to vulnerability management. This approach
attackers in the wild, so focusing on these ensures that practitioners focus on vulnerabilities that
vulnerabilities can significantly reduce the number of pose the greatest threat to organizations
vulnerabilities that need immediate attention • Asset Protection: Prioritizing known exploited
• Prioritization: The report suggests that known vulnerabilities helps protect valuable assets. If a device
exploited vulnerabilities should be the top priority for that is of utmost importance to the operation of the
remediation. This approach ensures that practitioners business or holds critical information were to be
focus on vulnerabilities that pose the greatest threat to compromised, it could be catastrophic to the
organizations. A process that keeps an organization safe organization
would likely include focusing on CISA's Known
Exploited Vulnerabilities (KEV) list and pivoting to V. DEVICE CONTEXT OR PLACEMENT
remediate non-exploited vulnerabilities with critical
and high severity levels The network location of devices is significant in the process
• Reduced Number of Vulnerabilities: This of vulnerability prioritization.
methodology significantly reduces the number of • Criticality of Network Location: This knowledge is
vulnerabilities that need immediate attention. As of July crucial for prioritizing vulnerabilities, especially when
13, 2023, there were less than 1,000 vulnerabilities on new CVEs and zero-days are disclosed for internet-
the list. It also ensures practitioners focus on facing assets
vulnerabilities that pose the greatest threat to • Prioritization of Internet-Facing Vulnerabilities:
organizations Vulnerabilities and misconfigurations on internet-
• Compliance Obligations: The report also notes that facing devices should be prioritized because they are
while the directive helps agencies prioritize their more accessible to threat actors and can serve as an easy
remediation work, it does not release them from any entry point for attacks. These vulnerabilities pose a
compliance obligations, including resolving other higher risk of compromise and should be addressed
vulnerabilities promptly
• CVSS Scoring: The report acknowledges that CVSS • Internal SLA Remediation Timeline: For systems
scoring can still be a part of an organization's that are not accessible from the internet, such as
vulnerability management efforts, especially with internally facing assets, should fall under an internal
machine-to-machine communication and large-scale service level agreement (SLA) remediation timeline.
automation This implies that different SLAs should be established
Focusing on known exploited vulnerabilities is a critical based on the network location of the assets, with
aspect of vulnerability management. It allows organizations to internet-facing assets having shorter SLAs than
internally-facing ones
efficiently allocate resources, reduce risk, develop effective
• Lateral Movement Considerations: When
strategies, comply with regulations, prioritize based on threats, prioritizing internal vulnerabilities, the focus should be
and protect valuable assets: on preventing lateral movement within the network.
• Efficient Resource Allocation: With thousands of Prioritization should be given to vulnerabilities that
vulnerabilities identified each year, organizations often could allow an attacker to gain control of a system or
struggle to manage and remediate all of them due to move laterally to access sensitive data
 Read more: Boosty
• Use of Vulnerability Priority Ratings: most business impact into severity weighting provides a
vulnerability management tools today incorporate more accurate view of risk to the company
additional scoring features, such as the Exploit • Configuration Management Database (CMDB): To
Prediction Scoring System (EPSS), to assist analysts in effectively implement this strategy, an accurate and
prioritizing vulnerabilities. These tools provide agreed-upon business impact value per company asset
vulnerability priority ratings that help determine which is needed. Ideally, this information should be centrally
security flaws should be remediated first based on the located, such as in a Configuration Management
likelihood of exploitation within the network Database (CMDB). Although most industry CMDB
• Risk-Based Approach: By incorporating the context products provide an asset discovery solution to help
of device location, organizations can operate in a maintain inventory accuracy, it will only be partially
manner that aligns with a risk-based approach to absolved of challenges
vulnerability management. This approach ensures that In vulnerability management, asset value refers to the
patching teams focus on remediating vulnerabilities importance of a particular asset (such as a device, system, or
based on their attack vector, exploitability, and severity data) to an organization's operations or business continuity. It is
In the context of vulnerability management, "device context a critical factor in vulnerability prioritization, helping security
or placement" refers to the network location and role of devices, teams decide which vulnerabilities to address first based on the
which is a critical factor in prioritizing vulnerabilities. The potential impact on the organization's most valuable assets
placement of a device can significantly affect the risk level of a The calculation of asset value in vulnerability management
vulnerability and therefore influence the prioritization for
is not a straightforward process and can vary depending on the
remediation efforts.
organization's specific context and needs. It often involves
A. Examples of Device Context or Placement in Vulnerability assessing the asset's role in the organization, the sensitivity of
Management the data it holds, its importance to business operations, and the
• Emerging Threat Response: Organizations need to potential impact on the organization if the asset were to be
respond quickly to emerging threats or critical compromised
vulnerabilities on publicly facing devices. For example, Several factors can affect the asset value in vulnerability
if a new vulnerability is disclosed that affects web management:
servers, those internet-facing servers would be • Role of the Asset: The function of the asset in the
prioritized for patching organization can greatly influence its value. For
• Internal Web Applications: While also important, example, a server hosting critical applications or
vulnerabilities affecting internal web applications sensitive data would typically have a higher asset value
might be addressed after those on internet-facing than a peripheral device with no access to sensitive
servers, based on the reduced risk of immediate external information
exploitation • Data Sensitivity: Assets that store or process sensitive
• Workstations vs. Servers: A local privilege escalation data, such as personally identifiable information (PII),
vulnerability might be prioritized on workstations over financial data, or proprietary business information,
servers if the workstations are more likely to be targeted typically have a higher value due to the potential impact
through phishing emails, considering the context of of a data breach
how the devices are used • Business Impact: The potential impact on business
operations if the asset were to be compromised is a
VI. ASSET VALUE significant factor. This could include financial loss,
It discusses the importance of understanding the value of an operational disruption, reputational damage, or legal
asset in the context of vulnerability prioritization and regulatory consequences
• Asset Value Importance: The value of an asset plays • Asset Placement or Context: The location of the asset
a crucial role in vulnerability prioritization. Analysts in the network and its exposure to potential threats can
need to understand the value of an asset in conjunction also affect its value. For example, assets that are
with its context and placement in the network. This publicly accessible or located in a demilitarized zone
understanding helps in prioritizing vulnerabilities (DMZ) may be considered more valuable due to their
associated with critical assets increased risk of being targeted by attackers
• Ranking System: Teams can use a ranking system • Compensating Controls: The presence of security
within their application repository to identify critical controls that could mitigate the impact of a
assets. Vulnerabilities associated with these critical vulnerability can also affect the perceived value of an
assets should be prioritized for remediation. This asset. For example, an asset with robust security
approach helps analysts influence decisions to controls in place may be considered less valuable from
remediate vulnerabilities impacting business-critical a vulnerability management perspective because the
assets risk of successful exploitation is reduced
• Business Impact: If a device that is crucial to the In order to effectively prioritize vulnerabilities based on
operation of the business or holds critical information asset value, organizations need to maintain an accurate
were to be compromised, it could be catastrophic for the inventory of their assets and regularly assess their value in the
organization. Therefore, it is recommended to prioritize context of the organization's operations and risk tolerance
patching these devices over others. Incorporating
 Read more: Boosty
VII. COMPENSATING CONTROLS • Security Awareness Training: Training users to
recognize and avoid potential security threats can
It discusses the role of layered security controls or defense-
reduce the risk of vulnerabilities being exploited
in-depth strategies in mitigating attacks executed by advanced through social engineering attacks
security threats. In terms of prioritizing vulnerabilities, compensating
• Role of Compensating Controls: Compensating controls can be used to lower the risk rating of certain
controls are security measures that make it more
vulnerabilities, allowing organizations to focus on remediating
difficult to exploit vulnerabilities. They are part of an
organization's layered security strategy, also known as other vulnerabilities first. However, it's important to note that
a defense-in-depth strategy the effectiveness of compensating controls should be regularly
• Controversy Over Severity Adjustment: The practice tested to ensure they are functioning as expected. This can be
of adjusting the severity of vulnerabilities based on done through red teaming exercises or using breach and attack
compensating controls is controversial. Some simulation tools.
stakeholders argue for lowering the severity of In addition to compensating controls, other factors that can
vulnerabilities under the assumption that the control is be used to prioritize vulnerabilities include the severity of the
effective. However, changing a vulnerability's severity vulnerability, the exploitability of the vulnerability, the value of
or risk rating without sufficient data can lead to the asset affected by the vulnerability, and whether the
misprioritization and weaken an organization's security
posture vulnerability is known to be exploited in the wild. Tools like the
• Testing Compensating Controls: The report Exploit Prediction Scoring System (EPSS) and the Stakeholder-
recommends testing the exploitation of vulnerabilities Specific Vulnerability Categorization (SSVC) can also be used
against the company's security stack in a sandboxed to help prioritize vulnerabilities
environment. This can be done by personnel with red
A. Difference between compensating controls and patching in
teaming expertise or by using a breach and attack
simulation tool to mimic the tactics, techniques, and vulnerability management
procedures (TTPs) of the exploitation activities In the context of vulnerability management, compensating
observed in malicious operations. This data can help controls and patching are two different strategies used to
determine if the severity or risk rating of certain mitigate the risk associated with identified vulnerabilities.
vulnerabilities can be decreased or increased Patching refers to the process of applying updates to
Compensating controls in vulnerability management are software or systems to fix known vulnerabilities. This is a direct
additional security measures put in place to mitigate the risk method of addressing vulnerabilities, as it involves modifying
associated with identified vulnerabilities. They are used when the system or software to eliminate the vulnerability. Patching
vulnerabilities cannot be immediately remediated due to is often the most effective way to prevent exploitation of a
technical constraints, business requirements, or other factors. vulnerability, but it can also be resource-intensive and
Compensating controls can help prioritize vulnerabilities by disruptive, as it may require systems to be taken offline or
reducing the risk associated with certain vulnerabilities, restarted. It's also important to note that not all vulnerabilities
allowing organizations to focus on remediating other, higher- have available patches, and even when they do, there can be
risk vulnerabilities first delays in applying them due to testing requirements or
Compensating controls can take various forms, including: operational constraints.
• Network Segmentation: This involves separating a On the other hand, compensating controls are alternative
network into multiple segments to limit an attacker's
measures implemented to mitigate the risk associated with a
ability to move laterally within the network. If a
vulnerability exists in one segment of the network, vulnerability when it is not feasible or desirable to apply a
network segmentation can prevent an attacker from patch. These controls do not fix the vulnerability itself, but they
exploiting that vulnerability to access other parts of the reduce the risk of exploitation. Examples of compensating
network controls include network segmentation, firewall rules, intrusion
• Firewalls and Intrusion Prevention Systems (IPS): detection systems, and additional monitoring. The use of
These tools can detect and block malicious traffic, compensating controls can be controversial, as they do not
potentially preventing the exploitation of certain eliminate the vulnerability and their effectiveness can be
vulnerabilities difficult to measure. However, they can be a valuable tool in
• Multi-factor Authentication (MFA): MFA can managing risk, particularly in cases where patching is not
prevent an attacker from gaining access to a system immediately possible.
even if they have obtained valid credentials, thus
mitigating the risk associated with vulnerabilities that While patching directly addresses and eliminates
could lead to credential theft vulnerabilities, compensating controls provide alternative ways
• Encryption: Encrypting data at rest and in transit can to mitigate the risk associated with vulnerabilities when
reduce the impact of vulnerabilities that could lead to patching is not feasible or desirable. Both strategies are
data exposure important components of a comprehensive vulnerability
• Regular Patching and Updates: Regularly updating management program.
and patching systems can help to mitigate the risk
associated with known vulnerabilities
 Read more: Boosty
VIII. EPSS – EXPLOIT PREDICTION SCORING SYSTEM EPSS differs from traditional severity ratings, such as the
The Exploit Prediction Scoring System (EPSS) is a tool that Common Vulnerability Scoring System (CVSS), in several
helps prioritize vulnerabilities in cybersecurity. It provides a ways:
data-driven, probabilistic assessment of the likelihood of • Predictive Nature: EPSS is predictive, providing a
probability score based on the likelihood of
exploitation, which can complement traditional severity ratings
exploitation, whereas CVSS provides a severity score
and other vulnerability management strategies. based on the intrinsic characteristics of a vulnerability
• Challenges with Traditional Vulnerability Scoring: • Data-Driven Approach: EPSS uses a data-driven
Traditional vulnerability scoring systems, such as the effort that incorporates current threat information from
Common Vulnerability Scoring System (CVSS), have CVE and real-world exploit data, which is not the case
been criticized for not being sufficient to assess and with CVSS severity ratings
prioritize risks from vulnerabilities. Only a limited • Machine Learning Model: EPSS employs a machine-
subset of published vulnerabilities is ever observed learning model to predict exploit likelihood, using data
being exploited in the wild from sources like the MITRE CVE list and observations
• Introduction of EPSS: The EPSS is an open, data- from exploitation-in-the-wild activity from security
driven effort that uses a machine-learning model to vendors
predict the likelihood or probability that a vulnerability
will be exploited in the wild. This assists defenders in B. Benefits
prioritizing vulnerability remediation efforts more Benefits of using EPSS in vulnerability management
effectively. EPSS uses data from sources like the
MITRE CVE list, data about CVEs such as days since include:
publication, and observations from exploitation-in-the- • Efficient Prioritization: EPSS helps organizations
wild activity from security vendors prioritize vulnerabilities that pose the most risk and are
• EPSS Scoring: The EPSS model produces a most likely to be exploited, enabling them to allocate
probability score between zero and one (0 and 100%). resources more effectively
The higher the score, the greater the probability that a • Complement to CVSS: EPSS can be used alongside
vulnerability will be exploited CVSS to provide a more comprehensive view of
• Comparison with CVSS: EPSS is not meant to replace vulnerabilities, considering both the severity and the
CVSS but to complement it. While CVSS provides a likelihood of exploitation
severity rating for vulnerabilities, EPSS provides a • Reduction in Remediation Effort: By focusing on
prediction of the likelihood of exploitation. This vulnerabilities with a higher probability of being
additional information can help organizations prioritize exploited, organizations can reduce the number of
their remediation efforts more effectively vulnerabilities they need to address, saving time and
• Use of EPSS in Vulnerability Management: EPSS effort.
can be used in conjunction with other tools and IX. SSVC – STAKEHOLDER-SPECIFIC VULNERABILITY
strategies for vulnerability management, such as
focusing on known exploited vulnerabilities, CATEGORIZATION
considering the context or placement of devices, It discusses a methodology for prioritizing vulnerabilities
assessing asset value, and considering compensating based on various factors beyond just severity scores. SSVC is a
controls flexible, customizable, and evidence-based approach to
• Stakeholder-Specific Vulnerability Categorization vulnerability prioritization that takes into account a variety of
(SSVC): SSVC is another tool that can be used in factors beyond just severity scores. It helps organizations make
conjunction with EPSS. SSVC focuses on values,
informed decisions about which vulnerabilities to address first,
including the security flaw's exploitation status, its
impact on safety, and the prevalence of the affected based on their specific context and risk tolerance.
products. SSVC improves vulnerability management • SSVC Overview: SSVC is a vulnerability analysis
processes and accounts for diverse stakeholders methodology developed by Carnegie Mellon
University's Software Engineering Institute in
A. EPSS Difference coordination with the US Cybersecurity and
The Exploit Prediction Scoring System (EPSS) is a tool Infrastructure Security Agency (CISA). It operates as a
designed to estimate the likelihood that a software vulnerability decision tree that allows for flexibility in its application,
and it accounts for diverse stakeholders.
will be exploited in the wild. Its purpose is to assist network
• SSVC Decision Points: SSVC uses a decision tree to
defenders in better prioritizing vulnerability remediation efforts determine the response to a vulnerability. The possible
by providing a probability score between 0 and 1 (0 and 100%). outcomes are "Track", "Track*", "Attend", and "Act".
The higher the score, the greater the probability that a Each outcome has a recommended remediation
vulnerability will be exploited. timeline, ranging from standard update timelines
EPSS offers a more nuanced approach to vulnerability ("Track" and "Track*") to immediate action ("Act").
management by predicting the likelihood of exploitation, which • Customizability: SSVC is customizable, helping
complements the severity assessment provided by traditional analysts decide on vulnerability response actions
scoring systems like CVSS. This predictive capability can consistent with maintaining the confidentiality,
significantly benefit organizations in prioritizing their integrity, and availability of enterprise systems as
agreed upon with leadership. It is a dynamically applied
vulnerability remediation efforts.
 Read more: Boosty
concept, with new versions released to recognize • Determining Automatability: Assessing if the
improvements and integrate feedback. vulnerability is self-propagating or requires additional
• Focus on Values: SSVC focuses on values, including steps for an attacker to exploit.
the security flaw's exploitation status, its impact on • Considering Mission Prevalence: Evaluating how
safety, and the prevalence of the affected products. It prevalent the affected product is within the organization
improves vulnerability management processes by and its importance to business continuity.
considering these factors. • Making Informed Decisions: Using the decision tree
• Evidence-Based Decisions: SSVC decisions are based to make informed decisions about which vulnerabilities
on a logical combination of triggers set by leadership in to address first, based on the organization's specific
response to factors such as the vulnerability's state of exposure level and recommended actions.
exploitation, the level of difficulty for an adversary to
exploit it, and its impact on public safety. Analysts C. Difference between SSVC and traditional severity ratings
collect evidence of the relevant triggers and use the in vulnerability management
decision tree's logic to establish triage priority Traditional severity ratings in vulnerability management,
decisions. such as the Common Vulnerability Scoring System (CVSS),
• Beyond Base Scores: SSVC goes beyond just base provide a numerical score to indicate the severity of a
scores as a stand-alone prioritization method. It helps
organizations efficiently prioritize and triage vulnerability. These scores are based on a set of metrics that
vulnerabilities while navigating the uncertainties of include the attack vector, attack complexity, privileges
what issues to address first. required, and user interaction, among others. However, these
traditional ratings have been criticized for not being sufficient
A. Key Components of the SSVC Methodology to assess and prioritize risks from vulnerabilities, as they do not
The Stakeholder-Specific Vulnerability Categorization consider whether a vulnerability has been exploited in the wild.
(SSVC) methodology is a decision-tree-based approach On the other hand, the Stakeholder-Specific Vulnerability
developed by Carnegie Mellon University's Software Categorization (SSVC) is a more dynamic and flexible
Engineering Institute in coordination with the US Cybersecurity approach to vulnerability management. SSVC focuses on
and Infrastructure Security Agency (CISA). The key values, including the security flaw's exploitation status, its
components of the SSVC methodology include: impact on safety, and the prevalence of the affected products. It
• Decision Points: SSVC uses a decision tree with operates as a decision tree that allows for flexibility in its
decision points that lead to different outcomes based on application, enabling organizations to customize it to their
the analysis of the vulnerability. These decision points specific needs. SSVC provides a more comprehensive view of
include the state of exploitation, technical impact, the risk associated with a vulnerability by considering factors
automatability, mission prevalence, and public well- such as the state of exploitation, technical impact, mission
being impact.
• Possible Outcomes: The decision tree leads to one of prevalence, and public well-being.
four possible outcomes: Track, Track*, Attend, and While traditional severity ratings provide a standardized
Act. Each outcome has a recommended remediation measure of the severity of a vulnerability, they do not take into
timeline, with "Act" requiring immediate action. account whether the vulnerability is being exploited or its
• Customizability: SSVC is designed to be impact on the organization. SSVC, on the other hand, provides
customizable, allowing organizations to tailor the a more comprehensive and customizable approach to
decision-making process to their specific needs and vulnerability management by considering a wider range of
concerns. factors.
• Evidence-Based Decisions: Decisions within SSVC
are made based on evidence regarding the D. Scoring decisions in the SSVC methodology
vulnerability's exploitation status, difficulty of The Stakeholder-Specific Vulnerability Categorization
exploitation, and impact on public safety. (SSVC) methodology is a decision-making process for
• Dynamic Application: SSVC is intended to be a vulnerability response actions. It was developed by Carnegie
dynamically applied concept, with new versions
Mellon University's Software Engineering Institute in
released to incorporate improvements and feedback.
coordination with the US Cybersecurity and Infrastructure
B. Using SSVC to Prioritize Vulnerabilities Security Agency (CISA). The SSVC methodology provides
SSVC can be used to prioritize vulnerabilities in an effective four scoring decisions, which are:
and efficient way by • Track: The vulnerability does not currently require
• Assessing Impact: Analyzing the impact of a action, but the organization should continue to monitor
vulnerability on the organization's operations and the it and reassess if new information becomes available.
public well-being to determine the urgency of CISA recommends remediating Track vulnerabilities
remediation. within standard update timelines.
• Evaluating Exploitation Status: Considering whether • Track*: The vulnerability has specific characteristics
there is active exploitation or proof of concept available that may require closer monitoring for changes. CISA
for the vulnerability. recommends remediating Track* vulnerabilities within
standard update timelines.
• Attend: The vulnerability requires attention from the
organization's internal, supervisory-level individuals.
 Read more: Boosty
Necessary actions include requesting assistance or • Mission Prevalence: The decision tree includes an
information about the vulnerability and may involve assessment of how prevalent the affected product is
publishing a notification either internally and/or within the organization and its importance to business
externally. CISA recommends remediating Attend continuity. This helps to prioritize vulnerabilities that
vulnerabilities sooner than standard update timelines. could have an impact on the organization's operations
• Act: The vulnerability requires attention from the
organization's internal, supervisory-level, and X. METRICS
leadership-level individuals. Necessary actions include It discusses the role of metrics in evaluating and improving
requesting assistance or information about the a vulnerability management program. It emphasizes the
vulnerability, as well as publishing a notification either
internally and/or externally. Typically, internal groups importance of using detailed and informative metrics to assess
would meet to determine the overall response and then the effectiveness of a vulnerability management program. By
execute agreed upon actions. CISA recommends focusing on key risk indicators and compartmentalizing
remediating Act vulnerabilities as soon as possible. metrics, organizations can gain actionable insights and
prioritize remediation efforts more effectively.
E. Examples of SSVC • Metrics as Indicators: Metrics are essential for
Here are examples of how SSVC can be applied in highlighting the effectiveness of a vulnerability
vulnerability management: management program and identifying areas that need
• Customized Decision Tree: SSVC uses a decision tree improvement. They provide a way to measure the
that is tailored to the organization's needs. For example, program's performance and guide strategic decisions
an organization can customize the decision tree to focus • Beyond Severity Counts: Simply counting the number
on factors such as the vulnerability's exploitation status, of critical, high, medium, and low severity
its impact on safety, and the prevalence of the affected vulnerabilities is not enough to determine if
products remediation efforts are meeting goals. Metrics should
• Possible Outcomes: The SSVC decision tree leads to be more nuanced and informative
one of four possible outcomes: Track, Track*, Attend, • Compartmentalization of Metrics: Metrics should be
and Act. Each outcome has a recommended compartmentalized by technology, placement on the
remediation timeline, with "Act" requiring immediate network, and the Service Level Agreement (SLA)
action. This helps organizations to prioritize outlined in the company policy. This helps to identify
vulnerabilities based on the level of attention they specific areas that require improvement
require • Focus on Known Exploited Vulnerabilities:
• Evidence-Based Decisions: Decisions within SSVC Distinguishing between known exploited
are made based on evidence regarding the vulnerabilities and those not currently exploited can
vulnerability's exploitation status, difficulty of reduce noise and direct teams to remediation efforts that
exploitation, and impact on public safety. For instance, need more visibility
if a vulnerability is being actively exploited with a high • Key Risk Indicators vs. Key Performance
technical impact, the decision might be to "Act" Indicators: Organizations should focus on key risk
immediately indicators rather than just key performance indicators.
• Practical Use Case: A practical example provided in This approach highlights specific insights obtained
the document is the prioritization response to the Citrix from vulnerability data, which can be more actionable
ShareFile vulnerability, identified as CVE-2023-24489. • Example of Risk-Based Metrics: An example
Using SSVC, an organization would likely choose the provided in the document is the comparison of
"Act" value after running information collected by remediation times for vulnerabilities on different
analysts against the decision points and associated platforms, such as Chrome and Edge. This comparison
values. This decision is influenced by the existence of can reveal which platform poses a higher level of risk
proof-of-concept code, evidence of targeted attacks, based on the time it takes to remediate vulnerabilities
and in-the-wild exploitation • Actionable Insights: Performance metrics should be
• Public Well-Being: SSVC also considers the potential used to show areas of risk, allowing organizations to
impact on public well-being. For example, if a take actionable steps rather than just tracking individual
vulnerability could lead to physical harm or expose vulnerabilities
sensitive payment information, it would likely be
prioritized for immediate action