How are you evaluating the risk a vulnerability poses to your org? Are you using the CVSS score, a different scoring system, or doing your own analysis internally?
Sort by:
CVSS should ideally only be used as a starting point, then add context for your own technical environment, architecture and any related threat intelligence you have.
For us, we use a combination of CVSS score, along with scoring from the vuln tool, the position of the system inside the network taking into consideration segmentation and configuration plus the context of the system in relation to the business.. i.e we'll patch a business critical system that's internet facing before we patch a system that is not holding important data deep inside the network (unless there is an interface to said critical system). This helps us prioritise.
Currently, we are using the risk score calculated by our vulnerability scanning solution. I am not a fan of this approach, because it is based upon the number of vulnerabilities and their CVE score.
I prefer a measurement which we have more control over, because the number of vulnerabilities in our environment is based more on how good the hackers are versus how good we are. The metric I am working to introduce is either average age of a vulnerability or mean time to repair, both of these metrics are how good the team is at fixing issues. I am leaning towards the former because I can easily calculate this number from our vulnerability scanning solution.
Upon the official release of CVSS v4 in Nov 2023, it was anticipated that the National Vulnerability Database (NVD) may commence issuing updates in alignment as NVD is also most often used vulnerability classification database alongside CVSS. This timeframe was also when we thought that there will be a broader uptake of CVSS v4 beginning to take shape by various vendors in the vulnerability identification game (Qualys, Tenable etc) but seems like that hasn't happened as yet and Microsoft Defender which uses Qualys as its engine, still maintains its own prioritisation formula. Until that happens, read the below article and use the 3 approaches mentioned therein. Its not as straightforward, needs some procedural definitions and application classification but it makes most sense to me.
https://www.brinqa.com/blog/stop-prioritizing-vulnerabilities-by-cvss-score-use-these-3-approaches-instead/