The National Institute of Standards and Technology (NIST) has revealed a new metric designed to estimate which software vulnerabilities are likely to have been exploited in real-world attacks. Dubbed “Likely Exploited Vulnerabilities” (LEV), this innovative approach seeks to enhance vulnerability management by identifying the most dangerous software flaws among the thousands reported each year. NIST is actively soliciting input from the cybersecurity community to validate and refine this method.
The introduction of LEV highlights the challenges organizations face in vulnerability management, where tools like the Exploit Prediction Scoring System (EPSS) and the Known Exploited Vulnerability (KEV) lists maintained by CISA fall short. EPSS relies on predictive measures and does not account for historical exploitation, while KEV lists, though authoritative, may lack comprehensive coverage of all exploited vulnerabilities.
According to research presented in NIST’s whitepaper, most organizations are only able to patch around 16% of existing vulnerabilities each month, resulting in potential exposure to the approximately 5% of vulnerabilities that are actively exploited in the wild. LEV aims to close the gap between detection and remediation by enabling organizations to prioritize which vulnerabilities to address first. It provides an estimate of previously exploited vulnerabilities using statistical analysis of EPSS data, thereby informing targeted patching efforts.
However, the implementation of LEV raises pressing questions about policy and trust within cybersecurity frameworks. As LEV provides new metrics for evaluating vulnerability management strategies, it also challenges organizations like CISO to consider how they utilize such data in their patching guidance and risk assessments. This discussion coincides with NIST’s acknowledgment that the accuracy of LEV is contingent upon the quality of EPSS data and underlying statistical assumptions.
NIST is calling for industry collaboration to advance the development of LEV. Access to robust data on when specific vulnerabilities were exploited, currently held within private sectors like threat intelligence firms and security vendors, is essential for LEV’s validation. If secured, LEV could transform vulnerability management practices, facilitating a more efficient and focused approach to cybersecurity.
In summary, while LEV shows promise as a powerful tool in the cybersecurity toolkit, its success relies on collaborative data sharing and further validation from industry leaders. As organizations contend with the dual pressures of patch fatigue and limited resources, having an informed estimate of which vulnerabilities are at greatest risk could prove indispensable.