Read Time:1 Minute, 38 Second

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.

Kenna Security’s latest report, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.

It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.

Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.

To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.

Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.

“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.

“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”

Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.

“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.

Closing the Gap: How to Build a Consistent Exposure and Vulnerability Management Workflow

Trump Revenge Tour Targets Cyber Leaders, Elections

Upcoming Speaking Engagements

Major WordPress Plugin Flaw Exploited in Under 4 Hours

Prodaft Offers “No Judgment” Deal to Buy Dark Web Accounts from Cybercrime Forum Users

New Malware ResolverRAT Targets Healthcare and Pharma Sectors

US Blocks Foreign Governments from Acquiring Citizen Data

China Sort of Admits to Being Behind Volt Typhoon

Digital Certificate Lifespans to Fall to 47 Days by 2029

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Twitter Mentions More Effective Than CVSS at Reducing Exploitability

Closing the Gap: How to Build a Consistent Exposure and Vulnerability Management Workflow

Trump Revenge Tour Targets Cyber Leaders, Elections

Upcoming Speaking Engagements

Major WordPress Plugin Flaw Exploited in Under 4 Hours

Prodaft Offers “No Judgment” Deal to Buy Dark Web Accounts from Cybercrime Forum Users

New Malware ResolverRAT Targets Healthcare and Pharma Sectors