Category: Exposure Management

Rapid7 Fills Gaps in the CVE Assessment Process with AI-Generated Vulnerability Scoring in Exposure Command

The National Vulnerability Database (NVD) announced in February 2024 that it would no longer provide common vulnerability scoring system (CVSS) scores for all CVEs. Due to resource constraints and an inability to keep up with the volume of newly-disclosed vulnerabilities, NVD shifted its focus to processing vulnerabilities more efficiently by relying on vendor-provided and third-party scores rather than scoring each CVE independently.

Many organizations rely on NVD’s CVSS scores as a consistent, centralized guide to measuring the potential risk of vulnerabilities. This is especially useful for teams that don’t have the resources to conduct their own in-depth vulnerability analysis given the pace at which new CVEs are cropping up.

To address this widening gap in vulnerability scoring and ensure our customers are making informed decisions with the most accurate understanding of their current risk posture we’re excited to announce the release of AI-Generated Risk Scoring in Exposure Command. By integrating an advanced machine learning model, Exposure Command supplements existing CVSS scores by providing AI-Generated Risk Scores for CVEs where NVD does not provide them, ensuring all vulnerabilities are provided an accurate score.

The need to evolve from traditional vulnerability management practices to continuous threat and Exposure Management

Moving beyond simple risk scoring methodologies is critical for modern vulnerability management teams to stay ahead of advanced threats. For many organizations, this means adopting a Risk-Based Vulnerability Management (RBVM) approach.

Put simply, this means incorporating not just a deep and accurate understanding of how risky a given CVE is in a vacuum, but also layering on additional context related to reachability and exploitability, asset criticality, and a real-world understanding of what threat actors are actively targeting in the wild. And how all these inputs relate to the organization's specific environment.

AI-Generated CVSS scoring in Exposure Command feeds directly into our broader Active Risk scoring methodology. More importantly, it empowers Rapid7 to produce predictive CVSS scores by analyzing vulnerability information and comparing with previous expert vulnerability analysis.

The model generates each vector individually, and once combined to form a score, results in 76% of these generated scores being in the correct severity classification. Combined with Rapid7’s Active Risk calculator, this increases to 87% of scores returning the correct classification. The remaining scores are never more than one classification out.

This insight will feed directly into and improve the overall accuracy of our Active Risk scoring models, as well as, ensure severity scores are assigned and provided to security teams faster than humanly possible, making your entire security program more resilient to external change.

By leveraging AI/ML to generate predictive risk scores, security teams benefit from:

  • Enhanced accuracy: Our expertly designed model trained on historical NVD data accurately provides CVSS scores.
  • Predictive scoring: Get immediate insight into the severity of newly-disclosed CVEs that are left unscored, without the need for manual aggregation and analysis.
  • Improved security posture: Ensuring all CVEs are assigned an accurate severity score, organizations are equipped with the necessary context to effectively prioritize remediation efforts and in turn strengthen their organization’s security posture.

This release represents a major step forward in our mission to provide industry-leading cybersecurity solutions. We expect these enhancements will significantly improve your ability to assess and manage vulnerabilities, giving you the confidence to stay ahead of potential threats.For more detailed information and implementation guidelines, please refer to the release notes. If you'd like to learn more about the Rapid7 AI Engine and how we’re leveraging AI across the platform, download the eBook today!

Drowning in data: The modern security dilemma

The Vulnerability Vortex: Escaping the Whirlpool of Ineffective Security

In today's interconnected digital landscape, organizations find themselves caught in a relentless torrent of security alerts and vulnerability notifications. As cyber threats evolve at breakneck speed, security teams struggle to keep their heads above water, desperately trying to prioritize and address an overwhelming flood of potential risks. This data overflow, ironically intended to bolster defenses, often leaves companies more vulnerable than ever.

The root of the problem: How we got here

The journey to this precarious position began with good intentions. As the internet grew and cybercrime flourished, the need for robust security measures became painfully apparent. Developing vulnerability management practices and creating standardized tracking systems like Common Vulnerabilities and Exposures (CVEs) and the Common Vulnerability Scoring System (CVSS) aimed to bring order to the chaos.

These tools provided a common language for discussing and prioritizing security risks. CVEs offered unique identifiers for specific vulnerabilities, while CVSS scores attempted to quantify the severity of these threats. In theory, this standardization should have streamlined the process of identifying and addressing the most critical security issues.

However, as the digital ecosystem expanded exponentially, so did the number of potential vulnerabilities. The growth of internet-connected devices, cloud services, and complex software ecosystems created a vast attack surface ripe for exploitation. Coupled with increasingly sophisticated cyber criminals and state-sponsored threat actors, the vulnerability landscape became a rapidly shifting minefield.

Drowning in false positives: The alert overflow crisis

The result of this explosive growth in potential threats is what security professionals now term "alert overflow." Vulnerability scanners, intrusion detection systems, and other security tools generate constant alerts with many false positives. These incorrect or irrelevant warnings significantly drain resources as analysts must investigate each one, often finding nothing of consequence.

This flood of false positives leads to a dangerous phenomenon known as "alert fatigue." As security teams become accustomed to the constant barrage of warnings, their ability to distinguish genuine threats from noise diminishes. This desensitization can result in slower response times to real vulnerabilities, potentially exposing critical systems for longer periods.

The Limitations of traditional approaches

While vulnerability management has undoubtedly matured over the years, traditional approaches are increasingly falling short in the face of modern challenges. The sheer volume and complexity of today's digital environments make it nearly impossible for organizations to maintain comprehensive visibility across their entire attack surface.

Moreover, the static nature of many vulnerability assessment tools fails to account for the dynamic reality of modern networks. Cloud environments, containers, and ephemeral instances can appear and disappear in moments, creating blind spots in traditional scanning methodologies.

Another significant limitation is the overreliance on CVSS scores for prioritization. While these scores provide a standardized severity measure, they often lack crucial context about an organization's specific environment and risk tolerance. This can lead to misallocated resources, with teams focusing on high-scoring vulnerabilities that may pose little real-world risk to their particular systems.

Shifting gears: The move towards exposure management

Recognizing the shortcomings of traditional vulnerability management, forward-thinking organizations are embracing a more holistic approach known as exposure management. This paradigm shift acknowledges that not all vulnerabilities pose an equal threat and that context is crucial for effective risk mitigation.

Exposure management takes into account factors beyond mere technical vulnerabilities. It considers an organization's unique attack surface, the potential impact of a successful exploit, and the likelihood of a vulnerability being targeted by threat actors. This more nuanced approach allows security teams to focus their limited resources on the most critical issues that pose genuine risks to their specific environment.

Continuous Threat Exposure Management (CTEM): A framework for the future

The concept of Continuous Threat Exposure Management (CTEM) is at the forefront of this evolution. CTEM represents a strategic, cyclical approach to identifying, assessing, and mitigating potential security exposures across an organization's digital footprint.

The CTEM framework consists of five key phases:

  1. Scoping and discovery: Continuously map and update the organization's attack surface, including known and unknown assets.
  2. Validation and prioritization: Assessing discovered vulnerabilities in the context of the organization's specific environment and risk tolerance.
  3. Mobilization: Coordinating efforts across teams to address the most critical exposures.
  4. Remediation: Implementing fixes, patches, or mitigations to reduce identified risks.
  5. Verification: Confirm that remediation efforts have been successful and reassess the overall security posture.

This cyclic process ensures security efforts align with the organization's ever-changing digital landscape and evolving threat environment.

Building the right team: Human expertise in the age of automation

While technology is crucial in modern security practices, the human element remains irreplaceable. Implementing a successful CTEM program requires a diverse team with various skills and perspectives.

Key roles in a CTEM team might include:

  • Security analysts: Skilled in threat intelligence and vulnerability assessment
  • Network specialists: Experts in understanding complex infrastructure
  • Cloud security professionals: Versed in securing dynamic, distributed environments
  • Risk management experts: Adept at translating technical findings into business impact
  • Data scientists: Capable of deriving actionable insights from vast amounts of security data

By combining automated tools with human expertise, organizations can achieve a more nuanced and effective approach to managing their security exposures.

Conclusion: Embracing a proactive future

The shift from traditional vulnerability management to exposure management and CTEM represents a necessary evolution in increasingly complex and dynamic threat landscapes. By adopting these more contextual and proactive approaches, organizations can break free from the vulnerability vortex plaguing security teams.

Exposure management allows for a more strategic allocation of resources, focusing on the most critical risks rather than chasing an endless stream of potential vulnerabilities. The CTEM framework provides a structured-yet-flexible approach to continuously assessing and improving an organization's security posture.

As we progress, the key to successful cybersecurity will lie in embracing these more holistic methodologies. By combining advanced technologies with human expertise and a deep understanding of their unique risk profiles, organizations can navigate the turbulent waters of the digital age with greater confidence and resilience.

Threat Exposure Management (CTEM)

Exposure Management

Attack Surface Management(ASM)Cyber Asset Attack Surface Management (CAASM)

Other Blogs:
Modernizing Your VM Program with Rapid7 Exposure Command: A Path to Effective Continuous Threat Exposure Management