You’ve heard it before: Sometimes, you have to look back to move forward.
From a cybersecurity perspective, this phrase goes a long way when studying Common Vulnerabilities and Exposures (CVEs).
CVEs have been a pillar in our industry for decades, but how did we get here, what new trends are driving change, and are new vulnerability databases on the horizon?
CVE history 101
Vulnerabilities have existed since the first computer shipped. As a refresher, vulnerabilities, or flaws in technology, provide bad actors unsanctioned access to an organization's devices and information. Or, they can give attackers the ability to take a non-authorized action.
As vulnerabilities began to grow in number, IT and security teams were faced with organizing, prioritizing, and removing these vulnerabilities, but quickly ran into challenges like:
Siloed approaches, with vendors often maintaining private vulnerability databases
Limited ability to share remediation guidance or best practices industry-wide
No consistent process in place to document and address each unique vulnerability
These challenges resulted in the 1999 debut of the CVE system to standardize the classification and severity of known vulnerabilities with numeric identifiers.
1999: CVEs on the scene
Funded by the US National Cyber Security Division of Homeland Security, and administered by the Mitre Corporation, the CVE system and CVE information became publicly available and free to anyone to access.
In 2000, CVEs became the de facto standard, touting benefits like:
A consistent, industry-recognized method for organizing, prioritizing, and mitigating vulnerabilities
The ability to quickly and accurately obtain consistent and specific vulnerability information
Improved mean-time-to-remediate (MTTR) with quick and accurate access to vulnerability details
The early aughts: CVEs recognized industry-wide & Patch Tuesday is born
By the early 2000s, CVEs were an industry-recognized term. Vulnerability management became a “thing.” Some technicians even started dipping their toes into virtualization (with the cloud just a spark in a few early adopters’ eyes, especially Amazon’s…).
Then, 2003 introduced Patch Tuesday as a means for Microsoft and others, such as Adobe, to release software patches and address remediation of CVEs on a monthly cadence. Critical CVEs, needing immediate attention outside of Patch Tuesdays, continued as "out-of-band" releases.
2010 to 2020s: A CVE boom
2010 and beyond brought an influx of nefarious activities with bad actors, from criminal organizations to sovereign countries, unraveling a new era of hacks and techniques.
In response, CVEs increased their digit count to stay ahead of being inundated. And cybersecurity received the attention, nationally and globally, it long deserved. People in every industry were finally taking cyber resilience seriously.
Patches to address CVEs continued to rise, but staffing often did not, sometimes leaving devices vulnerable for weeks or months – and giving bad actors the upper hand. Unfortunately, these challenges continue today.
Where do CVEs stand now?
Nothing in life is perfect, and unfortunately, that includes CVEs. While CVEs have resolved much of the complexity and vulnerability tracking issues of the past, they still come up short in some instances, such as:
The ongoing debate that CVEs can provide bad actors a head start. Does disclosing vulnerabilities publicly make it easier for hackers to exploit them before organizations can remediate them?
CVEs may not contain all of the information needed to run a comprehensive vulnerability management program. That said, does CVE data need to be more inclusive of technical data and best practices? Is it fair to force IT teams to visit vendor websites for more information?
CVEs represent vulnerabilities in unpatched software only. Often, unpatched software is the primary vulnerability, but more modern approaches recognize that there are vulnerabilities beyond software that also need to be identified and mitigated.
Where do we go from here? Is it time for a cloud vulnerability database?
The future direction of CVEs has been top of mind for industry leaders for some time. At RSA Conference 2022, I attended a session dedicated entirely to the topic, called, “Security Industry Call-to-Action: We Need a Cloud Vulnerability Database.”
Why a cloud database? While the benefits of the cloud have been widely adopted, its introduction has thrown a curve ball in the CVE world, creating new issues that maybe only a cloud database can help solve. These issues include:
Multi-cloud environments, each with their own disparate security features, processes and support, add IT complexity
Cloud vulnerabilities, often configuration and identity-related, are typically not in the same wheelhouse as the software-driven CVE database
Not having centralized databases across discreet cloud vendors and providers, who maintain and track their own configurations, creates a divide with no cohesive repository of data
With no standard notification process, tracking, or severity scoring, IT must contend with minimal transparency and a broken shared model when new cloud vulnerabilities are introduced.
This begs the question, is it time for a new open cloud vulnerability database?
The answer to this question requires plenty of research, brainstorming, and discussion outside of this blog. However, it’s fair to say it’s probably a necessity and we should all keep our eyes out for a potential new database on the horizon.
Focusing on the future threat landscape
The current threat landscape has continued to evolve with expanding complexity and bad actors jumping at every new opportunity. This evolution continues to put IT and security practitioners in an uncertain place.
One indisputable thing is that the speed at which you patch and remediate CVEs matters. For now, the CVE database appears to be our “lighthouse” across a dark sea of vulnerabilities.
Until then, I think we can agree the CVE database has been a backbone of addressing vulnerabilities for decades and will continue to be for the foreseeable future.
Packed with useful information to help us weather the storm of vulnerabilities until a new industry-wide accepted universal database is constructed to be inclusive of the cloud, we have a trusted database to carry us through. Thank goodness for that.