What Can Be Done About the National Vulnerability Database Crisis?
Table Of Contents:
The National Institute of Standards and Technology (NIST) is in a bind, and one that has serious implications for cybersecurity teams worldwide. The National Vulnerability Database (NVD), the go-to repository for Common Vulnerabilities and Exposures (CVEs), is buckling under the weight of an unprecedented backlog. As of April, only 4,000 out of nearly 11,000 CVEs had been processed, leaving a staggering 7,000 vulnerabilities in limbo. This backlog isn’t just a minor hiccup – it’s a glaring security risk.
In the face of this growing crisis, how can security teams ensure they stay ahead of potential threats?
Current Mitigation Efforts by NIST
Neatsun Ziv, CEO at Ox Security, puts it bluntly.
“The backlog of unprocessed CVEs at the NVD poses significant risks for organisations, creating potential blind spots and delaying responses to new threats,” he tells ISMS.online. “This backlog benefits malicious actors, increasing supply chain risks across critical sectors.”
Roger Grimes, data-driven defence evangelist at KnowBe4, underscores the scale of the challenge.
“Last year, there were over 33,000 vulnerabilities, according to the NVD. That works out to over 90 new software and firmware vulnerabilities each day. Documenting, verifying and ranking these threats is an immense task,” he tells ISMS.online.
Grimes adds that “33% of all successful data breaches are only possible because of unpatched software and firmware vulnerabilities.”
NIST has initiated several measures aimed at mitigating the issue and enhancing the long-term functionality of the NVD. One notable effort is the formation of an NVD consortium, which aims to bring together industry, government and other stakeholders to collaboratively manage and improve the database. This consortium is expected to help distribute the workload more effectively and integrate broader expertise into the vulnerability analysis process.
Ox Security’s Ziv expresses optimism about these efforts.
“NIST’s initiative to form a new consortium holds significant potential for long-term improvement,” he argues. “If effectively implemented, these programmes will likely lead to faster processing times, improved data quality, and more timely updates, greatly benefiting the cybersecurity community.”
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a “vulnrichment” programme designed to enrich CVE data with more detailed and actionable information. It seeks to improve the quality and usability of vulnerability data, making it more beneficial for security teams. However, while these initiatives are promising, they do not provide immediate relief to organisations currently struggling with the backlog.
Despite these efforts, the backlog’s immediate impact remains a critical concern. Security teams must navigate this challenge by finding alternative ways to stay informed about new vulnerabilities, and ensuring that their patch management processes remain effective.
The Challenge for Security Teams
The backlog in the NVD poses significant challenges for security teams, who rely on timely and accurate CVE data to protect their systems. Without the most up-to-date information from the NVD, organisations may be unaware of newly discovered vulnerabilities, leaving them exposed to potential attacks. The situation is particularly problematic for smaller organisations that lack the resources to track vulnerabilities independently across multiple sources.
“As nation-state actors and ransomware gangs exploit these delays, it’s crucial to understand the gravity of the situation and the persistent threat landscape,” Ziv warns.
Security teams now face the daunting task of manually seeking out vulnerability information from individual vendors. This approach is labour-intensive and prone to error, as it requires constant monitoring of multiple sources. Additionally, the lack of standardised severity scores can lead to inconsistent assessment of risk, complicating the decision-making process regarding which vulnerabilities to prioritise for patching.
Experts in the field have highlighted the critical need for a centralised, trusted source of vulnerability information. Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, emphasised that while alternative sources like the CISA Known Exploited Vulnerabilities (KEV) catalogue exist, they are not comprehensive and primarily focus on vulnerabilities that are already being actively exploited.
Mitigation Strategies for Security Teams
To mitigate the impact of the NVD backlog, security teams can adopt several strategies:
Alternative databases: Utilise other reliable sources of CVE information. The CISA’s KEV catalogue, though not comprehensive, can provide critical insights into actively exploited vulnerabilities.
Automated tools: Implement automated vulnerability management tools that can scan for vulnerabilities and provide real-time updates. These tools can help bridge the gap left by the NVD by offering continuous monitoring and alerting capabilities. Ziv recommends automated tools such as vulnerability management and Application Security Posture Management (ASPM).
Threat intelligence services: Subscribe to threat intelligence services that provide timely and curated vulnerability information. These services often offer more contextual data, helping security teams understand the relevance and potential impact of specific vulnerabilities on their systems.
Community collaboration: Engage with cybersecurity communities and forums where professionals share insights and updates on the latest vulnerabilities. Collaborative platforms can be a valuable resource for staying informed and exchanging best practices.
Adapting to CVE Overload
While NIST’s initiatives, such as the formation of a consortium and the introduction of the vulnrichment program, promise future improvements, they offer little immediate relief.
Security teams must therefore take proactive steps to mitigate the impact of this backlog. By leveraging alternative databases like CISA’s KEV, adopting automated vulnerability management tools, subscribing to real-time threat intelligence services, and engaging with cybersecurity communities, they can fill the gap left by the NVD. These strategies not only help in maintaining an effective patch management program but also ensure a layered and resilient security posture.
The NVD backlog is a stark reminder of the importance of flexibility in cybersecurity practices. In the face of adversity, the cybersecurity community’s collective expertise and resourcefulness remain its greatest assets. By working together and sharing knowledge, it can overcome the challenges created by the NVD backlog and start to build a more secure digital world.