New NIST Security Metric Aims to Pinpoint Exploited Vulnerabilities

Researchers from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have introduced a new security metric designed to improve vulnerability management.

The proposed Likely Exploited Vulnerabilities (LEV) metric aims to enhance organizations’ ability to identify which vulnerabilities are most likely to be exploited, enabling more efficient remediation efforts.

This development comes as cybersecurity teams struggle to prioritize the tens of thousands of vulnerabilities published annually, with only a small fraction being actively exploited in the wild.

Each year, security professionals face the daunting task of addressing over ten thousand newly published software and hardware vulnerabilities.

According to NIST researcher Peter Mell, co-author of the proposal, only a small percentage of these vulnerabilities will ever be weaponized by threat actors.

“The ability to predict which vulnerabilities will be exploited is crucial for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts,”

Mell notes in the research abstract. Organizations with limited resources must make difficult decisions about which vulnerabilities to patch first, often leading to significant security gaps when critical vulnerabilities are overlooked in favor of less impactful ones.

Current Solutions and Their Limitations

The cybersecurity community currently relies on two primary approaches to vulnerability prioritization.

The Exploit Prediction Scoring System (EPSS) attempts to forecast the probability of vulnerability exploitation, but researchers acknowledge it contains known inaccuracies that can mislead security teams.

Additionally, the Known Exploited Vulnerabilities (KEV) catalog maintained by CISA provides authoritative information about vulnerabilities being actively exploited, but the researchers caution that these lists may not be comprehensive, potentially missing emerging threats.

These limitations have created a critical gap in vulnerability management processes that often leads to inefficient resource allocation and potential security exposures.

New Metric Improved Vulnerability Management

The proposed LEV metric represents a significant advancement in vulnerability assessment methodology by providing a calculated likelihood that a specific vulnerability has been observed in exploitation activities.

Unlike existing solutions, the LEV metric is designed to work as a complementary tool that addresses the shortcomings of current approaches.

“The proposed likelihood metric may augment EPSS remediation by correcting some inaccuracies and enhance KEV lists by enabling measurements of comprehensiveness,” states Jonathan Spring from CISA, who co-authored the research.

However, the researchers emphasize that widespread adoption and effectiveness of the LEV metric will require substantial collaboration with industry partners to provide necessary performance measurements and validation data.

According to the Report, The researchers believe that this metric could fundamentally change how organizations approach vulnerability management, allowing security teams to make more informed decisions based on empirical exploitation likelihood rather than theoretical risk scores alone.

As organizations continue to face an expanding attack surface and increasingly sophisticated threats, tools like the LEV metric may prove essential in maintaining effective cybersecurity postures with limited resources.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!