NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it’s calling on the cybersecurity community to help improve and validate the method.
Content Summary
The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to address a significant gap in vulnerability management by helping identify which reported flaws are actually being exploited in real-world attacks.
Traditionally, organisations have relied on tools like the Exploit Prediction Scoring System (EPSS), which predicts the likelihood of future exploitation, and Known Exploited Vulnerability (KEV) lists maintained by CISA. However, EPSS lacks historical context, and KEV lists can be incomplete.
LEV seeks to bridge this gap by calculating the probability of past exploitation using historical EPSS data. This is a statistical estimate designed to complement, rather than replace, existing methods.
LEV can help organisations:
- Estimate the number of vulnerabilities that have been exploited.
- Evaluate the completeness of KEV lists.
- Identify high-risk vulnerabilities that may not be listed.
- Address gaps in EPSS, which can underestimate risks for exploited bugs.
Context and Relevance
The stakes for effective vulnerability management are high, as remediating vulnerabilities can be both time-consuming and costly. This new metric could make patching efforts more focused and effective, especially given that statistics show that only around 5% of vulnerabilities are exploited.
Furthermore, the introduction of LEV invites policymakers and CISOs to rethink how they measure and justify their vulnerability management strategies. It raises key questions regarding the potential expansion of KEV lists and how patching guidance might adapt based on these new insights.
However, NIST acknowledges that LEV is not without its challenges. It relies on the accuracy of EPSS and requires validation, which currently relies on data that is not easily accessible.
To further solidify LEV’s effectiveness, NIST is seeking collaboration from industry players to obtain real-world data on vulnerability exploitation.
Key Insights
- NIST’s new LEV metric aims to help identify likely exploited vulnerabilities in software.
- LEV works alongside existing tools, offering a statistical estimate of past exploitation risks.
- Organisations can use LEV to better prioritise their patching efforts.
- NIST is actively seeking industry collaboration to validate LEV’s effectiveness.
- The introduction of LEV could facilitate better vulnerability management strategies for CISOs and policymakers.
Why should I read this?
If you’re in the cybersecurity field, you can’t afford to miss this! NIST’s new metric could seriously change the game for how we manage vulnerabilities. It’s all about making smart choices with your patching efforts and, let’s be honest, who doesn’t want to cut down on that time-consuming work? Stay ahead of the curve and see how this could impact your strategy!
