Twitter logo on computer screen through a magnifying glass showing vulnerability management based on mentions

Is Twitter the Best Tool for Vulnerability Management? Study Finds Twitter Mentions Outperform CVSS by 2x

Twitter is sometimes accused of being a waste of time, but a new report indicates that it may have great value as a vulnerability management tool.

A study from Cisco subsidiary Kenna Security finds that Twitter mentions are twice as good as the Common Vulnerability Scoring System (CVSS) when it comes to measuring an organization’s potential exploitability. This comes amidst a general industry trend away from CVSS scores as a standard for this sort of evaluation, an approach that even the Cybersecurity and Infrastructure Security Agency (CISA) has been adopting as of late.

Simulation shows that CVSS is lagging as a vulnerability management indicator

CVSS is a long-used industry open standard (first issued in 2005) that is widely deployed for assigning severity ratings to vulnerabilities that are found during scans, in turn allowing organizations to prioritize them.

While this stalwart vulnerability management system received a fairly recent update in 2019, there has been much talk in the last two years of moving away from it given that scores are assigned off of an initial assessment that often proves to be inaccurate over time. There is no mechanism to regularly re-evaluate these initial scores in the weeks and months after initial discovery, when vulnerabilities can prove to be more severe than was initially determined.

Kenna’s annual Prioritization to Prediction (P2P) report, the eighth of its kind, provides more evidence for the growing case against CVSS. The scope of the report is far beyond simply examining CVSS; it seeks to determine exactly how realistic it is to expect to evaluate the exploitability/remediability of an entire organization with reasonable accuracy. Part of this involves testing commonly used approaches to vulnerability management, and this is where we get nuggets such as Twitter mentions outperforming CVSS as a warning indicator on a 2:1 basis.

One of the central issues with continuing to use CVSS is that it was simply not designed for the scale or pace of vulnerability management in the modern threat landscape. It was fine for the mid-00s, when new vulnerabilities numbered in the hundreds and only a few were classed as “high risk.” Not so much for 2021, where the number of never before observed vulnerabilities has ballooned to about 12,000 per year and known risks sit at several additional thousand.

There are also more holes to exploit than ever. The report finds that 87% of organizations have open vulnerabilities in at least a quarter of their active assets, and 41% of them show vulnerabilities in three of every four assets. 75% of organizations have more than 1 in 4 assets that can be readily exploited, and for 19% of organizations it’s 3 in 4 of these assets. And the assets themselves are widely vulnerable, with 95% expected to have at least one lurking in the code somewhere.

And how exploitable are the entries on the now-sprawling CVE list? Most do have an extremely low (less than 1%) chance of exploitation. But 32.5% now have an up to 10% expectation of being exploited, and 4.9% are over 10% in likelihood. But when adjusted for the software that corporations most commonly use, the vulnerabilities that are over 10% likely to be exploited rise to 11.6% of the presence in these systems.

Twitter mentions emerge as a viable vulnerability management component

Of the realistic vulnerability management strategies examined in this report, Twitter mentions were second only to having the exploit code available and monitoring of all assets (a prevalence approach). Prioritizing those vulnerabilities with the fastest remediation rates also came in as a slightly superior strategy to using CVSS scores. CVSS was also only slightly better than a random approach, and worrying close to parity with doing nothing.

In addition to optimal strategy, organizations also want to increase remediation capacity. The report tested how adding capacity impacted each strategy; each stayed in relatively the same ranking order regardless of this, with CVSS only passing a median-capacity Twitter if it was juiced up with very high capacity. High capacity monitoring of Twitter also proved superior to a lower-capacity prevalence approach.

Ed Bellis, Kenna Co-Founder and CTO, had the following suggestions for organizations looking to increase remediation capacity while also improving their choice of strategy: “To increase remediation capacity organizations should set specific patch deadlines or SLAs, have separate teams for finding and fixing vulnerabilities, and use automated patching tools as much as possible. We explored this in further detail in our Prioritization to Prediction Volume 4 report.”

This year’s report concludes with a prediction that next year will bring an increased emphasis on none other than prediction in vulnerability management; tools to analyze the expected impact of vulnerabilities will be of increased importance as these total numbers continue to spiral even farther out of control. In the meantime, the parting advice is copied from CISA’s current guidelines: establish a process for ongoing remediation of exploited vulnerabilities, remediate vulnerabilities according to the timelines established by CISA, and report on the status of exploited vulnerabilities in accordance with Continuous Diagnostics and Mitigation (CDM) requirements.