Security teams cannot be expected to analyze and triage a predicted 2,900 new vulnerabilities likely to be published every month throughout 2024. Just twenty per month would be an achievement.

Effective patching is an accepted method of reducing breaches. But it is almost impossible to achieve. The problem is the sheer number of known vulnerabilities, and the difficulty for individual security teams to prioritize which vulnerability to patch first.

Coalition, a cyberinsurance firm with its own security labs researchers has been examining this problem. If the firm can help its customers improve their patch cycle, it will reduce claims and increase profits. The difficulty is the vulnerability problem is worsening, and without intervention in vulnerability management, there will inevitably be more breaches.

The problem

To quantify the threat arising from the number of vulnerabilities as opposed to the threats held within individual vulnerabilities, Coalition’s researchers first trained an autoregressive integrated moving average (ARIMA) model, which is commonly used for forecasting time series data. The reported (PDF) result is the prediction that 34,888 new vulnerabilities will be published in 2024. That’s an average of 2,900 per month, and a 25% increase over the first 10 months of 2023.

It is quite simply too many for security teams to effectively triage without additional help — but it’s essential that they do so. Coalition’s own claims data shows policyholders with even one unpatched critical vulnerability are 33% more likely to experience a claim. 

Right now, the ‘additional help’ is more confusing than helpful. Some of it comes from media reports, and some comes from CVSS scores associated with CVE numbers. The problem with the former is that the threat can be exaggerated, while for the latter, CVE numbers and the CVE database are not always 100% reliable.

The Exim vulnerabilities from October 2023 provide an example. ZDI published an RCE advisory with a CVE number and a CVSS of 9.8 on September 27, 2023 — but not much more information. Jump to the official CVE database, and the number just says ‘Reserved’ (the JSON description says “state”:”RESERVED”,”owning_cna”:”[REDACTED]”). It said that then, and it still says it now, some five months later. Jump to the media. ArsTechnica ran a story headlined, Critical vulnerabilities in Exim threaten over 250k email servers worldwide. The combination of a 9.8 CVSS and 250,000 vulnerable servers is enough to start alarm bells.

Coalition looked deeper. The vulnerability only affected certain configurations of Exim. The firm scanned its own customers and discovered the vulnerable configuration was present in just four of its infrastructures. For the rest of its customers, reacting to the media, searching the CVE database, and trying to figure the direct relevance of this vulnerability to their own IT estate was just a waste of resource.

The Common Vulnerability Scoring System (CVSS) is a metric owned and operated by First Org. It is the method of determining what is considered to be the vulnerability severity score. But that score is not decided by any individual organization, nor is it stored in any single location. By default, the NIST operated National Vulnerability Database (NVD) is the source of truth for CVSS scores. But NVD gets its entries from the CVE database, and if there is no completed CVE entry, there is no NVD entry — and therefore no immediately trusted and verifiable CVSS score.

Despite this, security teams use whatever CVSS they are told as a primary factor in their vulnerability patch triaging — the higher the score, the greater the perceived likelihood of exploitation with a greater potential for harm – and it is likely to be a score applied by the vulnerability researcher.

There is an inevitable delay and confusion (due to ‘responsible disclosure’, possible delays in posting to the CVE database, and an element of subjectivity in the CVSS score). “The delay in CVE scoring often means that defenders face two uphill battles regarding vulnerability management. First, they need a prioritization method to determine which of the thousands of CVEs published each month they should patch,” notes Coalition. “Second, they must patch these CVEs before a threat actor leverages them to target their organization.”

Coalition concluded there must be a better way to get actionable vulnerability information to the right people in a timely fashion.

The solution

There is another widely used threat indicator: CISA’s KEV list. Its primary weaknesses are that it is US-centric and late — it indicates that exploits are happening rather than warning they might happen. “The problem of vulnerability prioritization is how to weigh and combine these different data sources, a problem well suited to machine learning,” suggests Coalition.

This is the basis of Coalition’s vulnerability risk prioritization solution. It scans the separate vendor security advisories, CVSS scores, the KEV catalog, and other sources, compares them to previous CVE descriptions, and uses machine learning to generate the Coalition Exploit Scoring System (ESS). 

It aims to be an early source of truth for security risk managers, generating two scores: the Exploit Availability Probability and the Exploit Usage Probability. It is also dynamic and continuously updated as new information becomes available: “Which is a departure from traditional approaches like CVSS, where scores often remain static after issuing.”

This isn’t the end of Coalition’s approach. It also operates a network of honeypots. These are great tools for capturing malicious intent on the internet, but suffer from a difficulty in separating benign from malicious, and recognizing the specific purpose behind any malicious intent. Nevertheless, they can be a source of 20-20 vision, albeit currently often only in hindsight. 

More than two weeks before Progress published its security advisory. Coalition’s honeypots detected a 1,000% spike in scans for MOVEit technology, but weren’t aware of the significance. The speed of subsequent Cl0p infections suggests the attackers were searching out victims before the victims knew they could become victims. 

Coalition is now working on methods to find malicious intent in honeypot activity, even without understanding the purpose of that activity. “We are slowly rolling out generative AI-enabled tagging rules, enabling us to rapidly review and categorize honeypot traffic. Enhanced traffic tagging will allow us to make better sense of anomalous honeypot traffic in real time,” it says.

The marriage of early activity warnings with dynamic probability of harm scores would undoubtedly enhance more accurate and timely vulnerability triaging efforts. Coalition is an insurance company. Its primary motive is to increase the security of its customers, to decrease their claims against insurance, and thereby increase its own profits.

Nevertheless, the fact they have spent their own money on developing this methodology this far suggests that the use of AI to cut through the noise and confusion of the current vulnerability prioritization approaches suggests an exciting future for AI-assisted approaches to vulnerability triaging.

Related: Google Proposes More Transparent Vulnerability Management Practices

Related: Vulnerability Management Firm Vicarius Raises $30 Million

Related: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes

Related: Vulnerability Management Fatigue Fueled by Non-Exploitable Bugs