Vulnerability Scores and Risk Scores: What You Need to Know
Share with Your Network
In cybersecurity, a vulnerability score is a generic ranking assigned to any given vulnerability that conveys the relative urgency of that vulnerability. A risk score measures everything a vulnerability score does, but also provides more context than a vulnerability score by gauging the relative risk that a given vulnerability poses to a specific organization.
Both types of scores provide guidance for remediation teams to prioritize which vulnerabilities to patch first. But there are significant differences between the two that impact the efficiency and effectiveness of vulnerability management programs.
What are the most popular vulnerability scores?
The most widely used vulnerability scoring method is the Common Vulnerability Scoring System (CVSS). (For a quick primer on CVSS, check out Learn the Difference Between CVE and CVSS, and What They Mean to You.) CVSS offers Security and IT teams a framework to make quick and simple prioritization decisions.
CVSS ranks vulnerabilities published in the National Vulnerability Database (NVD) on a scale of 1-10. A CVSS score of 0.1 to 3.9 earns a severity rating of Low; from 4.0 to 6.9 gets a Medium rating; 7.0 to 8.9 is rated High; and 9.0 to 10 is Critical.
Are scanner vulnerability scores better than CVSS?
Many scanning solutions try to add context to their scanning score and make adjustments to the scoring scale (e.g., 1-5 instead of 1-10), but the outcome isn’t much improved from CVSS.
What are the disadvantages of vulnerability scores like CVSS?
While static vulnerability scores like CVSS can provide teams with a rough structure to sort their vulnerabilities, these scores create critical disadvantages keeping companies from meaningful remediation and risk management. We’ve gathered some key struggles characteristic of vulnerability scoring.
Lack of context. Vulnerability scores are not a true measure of risk because they lack organizational insight to help determine the potential impact of any given vulnerability. Context is gleaned from environmental factors like assets present, the business criticality of those assets, and the company’s own tolerance for risk. And when only 2-5% of observed vulnerabilities in a given environment are likely to be exploited, this context becomes even more necessary.
Inflated number of vulns rated High or Critical. Many organizations simply try to remediate all vulnerabilities that earn a CVSS score of 7 or higher. Traditional, static vulnerability scoring methods notoriously inflate the number of vulnerabilities deemed High or Critical, packing fix lists with vulnerabilities that are not potential exploits. Compounding this issue is the fact that many remediation teams rely on a blanket strategy of remediating everything above a certain threshold; most commonly, vulnerabilities with a CVSS score of 7 or above, totaling nearly half of all vulnerabilities present in an environment. Given that even well-resourced teams can only remediate about 10% of their total vulnerabilities, using this strategy leaves critical vulns unattended.
Laborious and frustrating. Without a data-driven, modern vulnerability management solution, Security must attempt to overlay their own vulnerability and threat intelligence and organizational context on top of their scoring data. Most often, this task traps teams within spreadsheets, slows them down with guesswork and manual maintenance, and leaves IT and Security at odds trying to reconcile inefficient and ineffective processes.
Drain on finite resources. Ultimately, teams who rely on static vulnerability scores waste precious resources attempting to investigate vulnerabilities, prioritize inflated data, and remediate too many of the wrong vulnerabilities.
*Sidenote: Take a minute to calculate your risk efficiency and see how many vulns actually pose a potential risk to your environment compared to your CVSS-based strategy.
Are risk scores better than vulnerability scores?
Risk scores offer vulnerability management teams the ability to focus their efforts on the vulnerabilities that pose the greatest risk to that specific organization. As a result, remediation teams can concentrate on efforts that will have the most impact on their overall cybersecurity risk.
Data-driven, risk-based vulnerability management (RBVM) solutions are becoming the new norm in cybersecurity, and top industry analysts are calling out this shift. Gartner even cited RBVM as a top security project for 2021.
While risk-based vulnerability management is more widely adopted, vendors can have vastly different interpretations of “risk” and “context” when it comes to developing their models. To help sort these differences, check out 7 Questions to Ask Every Vulnerability Management Vendor.
What are the advantages of risk scores?
Companies embracing a risk-based approach to vulnerability management are discovering benefits that not only help them better manage their cybersecurity risk, but also create organizational efficiencies and competitive advantages.
Reduce and manage risk. Risk scores can fold in external data such as: third-party vulnerability and threat intelligence feeds, organizational context, and predictive data science. This helps to filter out the noise and isolate the small subset of vulnerabilities with the highest exploit potential. Teams are able to make meaningful strides in lowering their risk profiles and achieve a steady state of operationalized risk management.
Optimize resources. Zeroing in on the 2-5% of vulnerabilities that are most likely to be exploited saves time, money, and effort. Remediation teams are no longer spending valuable time investigating, prioritizing, and closing vulnerabilities that don’t move the needle.
Align teams and increase efficiency. Rallying around risk gives Security and IT teams an opportunity to run the same game plan. Data-backed fix lists instill confidence and trust, help teams reduce risk faster, and eliminate friction. No more patch debates!
Track and report progress. With a fine-tuned understanding of risk and its impact on the organization, security leaders are better able to track and report progress. C-suite and board members can get a quick and easy download highlighting company security
How teams remediate better and faster with Kenna Risk Scores
A growing number of enterprises have been able to better protect their infrastructures and customer data by relying on risk scores to reduce and manage risk. The most advanced and comprehensive risk scores are provided by Kenna Security, the pioneer of risk-based vulnerability management. The Kenna Risk Score reflects more than a decade of real-world observation and risk management, and helps remediation teams efficiently and effectively prioritize and manage the vulnerabilities that matter most.
Kenna Risk Scores help teams make data-driven decisions quickly, but there’s a lot that happens behind the scenes before this occurs. Arriving at a Kenna Risk Score begins with ingesting enterprise data and diverse, custom vulnerability and threat intelligence feeds. Advanced data science processes, normalizes, and analyzes this data to glean an understanding of how this vulnerability is behaving in the wild and its potential impact on the customer’s specific environment. These findings are then served up as comprehensive and actionable Kenna Risk Scores, efficiently prioritized to help Security and IT remediate the most critical vulnerabilities first. In addition, Kenna Risk Scores can be assigned to virtually any asset group, department or function, which allows healthy competition between remediation teams who are all aligned around managing risk.
A financial services giant drives down risk with Kenna Risk Scores
By enabling teams to sidestep exhaustive investigation, prioritization, and potentially meaningless remediation, Kenna Risk Scores help cybersecurity leaders effectively optimize resources by lowering risk in as few moves as possible. After transitioning from a remediation strategy of fixing vulnerabilities that scored CVSS 9 or above to a risk-based scoring approach, financial services giant Deloitte & Touche experienced a dramatic drop in time and effort needed to manage their cybersecurity risk. Deloitte effectively cut their investigation and reporting time in half, and time spent on remediation by as much as 75%. Gregston Chu, Deloitte’s Global Vulnerability Analytics Service Owner, identifies Kenna Risk Scores as the catalyst for their vulnerability management transformation.
“Kenna risk meters and risk scores have completely changed the way we manage vulnerabilities and attack surface risk. Tracking risk scores over time are the core of leadership metrics.” – Gregston Chu, Deloitte’s Global Vulnerability Analytics Service Owner
Achieving and maintaining low Kenna Risk Scores becomes the motivation for remediation teams. “Reducing risk scores over time drives our prioritized remediation strategy,” says Chu. And while lower Kenna Risk Scores are the most obvious effect of a risk-based vulnerability management strategy, Deloitte has also realized additional intrinsic benefits such as a deeper and more acute awareness of how much risk exists in their environment at any given time. This, coupled with meaningful and actionable remediation intelligence, helps them make smarter decisions about their cybersecurity risk.
If everything is a priority, nothing is
As attack surfaces continue to expand and the threat landscape becomes more sophisticated, traditional vulnerability scores are no longer “good enough.” Blanket CVSS-based strategies will continue to slow down Security and IT teams who will overlook critical vulnerabilities even as they commit precious resources toward fixing vulnerabilities that don’t pose any meaningful risk to their organization. Risk scores offer a far more effective and efficient solution.
To modernize your approach to cybersecurity and drive down risk in your organization, explore Kenna Katalyst, an on-demand workshop designed to kickstart your risk-based vulnerability management journey.