As the former CISO (retired) of Paramount, Pete Chronis is a respected cybersecurity leader with Fortune 10/100/500 experience. Pete serves as an advisor, investor, and strategic consultant to cybersecurity startups.
Traditional vulnerability management is dead – and if you're still relying solely on CVSS base scores to prioritize your security efforts, you're fighting tomorrow's battles with yesterday's weapons. After two decades in cybersecurity leadership roles, I've witnessed firsthand how this outdated approach is failing organizations. The uncomfortable reality is that while we're generating more vulnerability data than ever before – with over 80 new CVEs published daily and a staggering 20% year-over-year increase – we're not getting better at preventing breaches. In fact, we're drowning in a sea of false positives while missing the critical weaknesses that actually matter. Let me tell you why this needs to change.
A Personal Wake-up Call
In 2022, as CISO of a Fortune 100 company, I faced a crisis that changed my perspective forever. Our team was drowning in a sea of "critical" and zero-day vulnerabilities. There was really no way a modern, technology-driven organization could properly keep up with the millions of new vulnerabilities we were detecting each month.
I remember sharing the vital performance stats on our vulnerability management program with the Board. We were fixing millions of issues a month - but, when we looked into the future, our capacity to discover vulnerabilities would soon outpace our ability to fix them. That's when I admitted that the traditional vulnerability management playbook wasn't just inefficient – it would soon be fundamentally broken. And I suspect for many organizations, it is already broken. I was very clear in that meeting that we would be building a strategy that would lead to a complete paradigm shift in how we approached vulnerabilities and how we addressed risk.
Here's an inconvenient truth that many security vendors won't tell you: base CVSS scores, while useful as a starting point, are misleading at best and dangerous at worst when used in isolation. The problem lies in their fundamental design – CVSS base scores are theoretical measures of severity that ignore real-world context. They're like measuring hurricane risk solely based on wind speed, while ignoring population density, infrastructure resilience, and historical patterns.
Understanding Compensating Controls: A Layered Defense
Modern vulnerability management reveals a sophisticated interplay between base risk scores and defensive measures. A vulnerability might be published with a concerning base risk score of 8.5, but the actual applicable risk can be significantly reduced through multiple layers of controls. The first layer typically consists of network controls, including firewalls, network segmentation, and access control lists. These are complemented by host controls at the system level, such as endpoint security and host-based firewalls. The final layer incorporates cloud controls, which provide additional security through virtual network isolation and cloud-native security tools.
When these controls work in concert, they can substantially reduce the effective risk score. As shown in the visualization, a base risk of 8.5 can be reduced to 4.4 through proper implementation of controls, with a -4.1 reduction from controls configuration. This demonstrates how defensive layers can effectively mitigate potential threats when properly implemented and maintained. We also want to know when these controls are not implemented effectively as we may want to increase the assessed risk. The challenge is, how do we assess the effectiveness of our controls in an automated, scalable way.
EPSS: A Good Step in the Right Direction
The Exploit Prediction Scoring System (EPSS) represents a significant advancement in vulnerability assessment. It provides probability-based scoring for vulnerability exploitation while incorporating real-world attack data. Through dynamic updates based on current threat intelligence, EPSS offers a more nuanced view of risk that considers the actual likelihood of exploitation rather than just theoretical impact.
Real-world intelligence should be a key (but not sole) factor in driving your prioritization, and this is where the Exploit Prediction Scoring System (EPSS) excels. Unlike base CVSS scoring, which measures theoretical severity, EPSS provides a probability score between 0 and 1 that predicts the likelihood of a vulnerability being exploited in the wild over the next 30 days. For example, a vulnerability with an EPSS score of 0.8 has an 80% chance of being exploited in the coming month.
EPSS achieves this through a sophisticated machine learning model trained on real-world exploitation data. The model analyzes multiple factors including the vulnerability's characteristics, the affected product's market share, previous exploitation patterns, and current threat actor behaviors. What makes EPSS particularly powerful is its dynamic nature – scores are updated daily based on new exploitation data, allowing you to adapt your prioritization as threats evolve.
Let me give you a concrete example: In a recent incident, we encountered two vulnerabilities. The first had a CVSS score of 9.8 but an EPSS score of 0.001, indicating a less than 0.1% chance of exploitation. The second had a CVSS score of 7.5 but an EPSS score of 0.52, suggesting a 52% chance of exploitation. Traditional vulnerability management would have prioritized the first vulnerability, but by using EPSS, we focused on the second – which was actively being exploited.
EPSS becomes even more powerful when combined with other threat intelligence sources. By monitoring active exploitation in your industry and tracking threat actor behaviors and trends, you can make informed decisions about what truly needs your attention first. This means subscribing to threat feeds, participating in industry sharing groups, and maintaining close relationships with your incident response team to understand what threats are actually targeting your organization.
By moving beyond base CVSS scores and incorporating real-world context – compensating controls, exploitation likelihood, and environmental factors – we reduced our "critical and high risk" vulnerabilities by 90%. Moving to this new prioritization process would allow us to patch our riskiest issues now and allow less risky issues to be addressed during our IT team’s normal maintenance windows.
The Path Forward
Modern vulnerability management requires a fundamental shift in thinking. Even EPSS, good as it is, is not without its limitations. EPSS only factors threat intelligence. Yet, modern risk management can and should also factor considerations such as runtime presence, network reachability, and the aforementioned compensating controls when deriving a clearer picture of the risk applicable to one’s unique environment.
Solutions like Zafran are leading this revolution by helping organizations automate the assessment of compensating controls, integrate real-world exploitation data, predict and prevent likely incidents, and scale modern risk management principles across the hybrid enterprise.
The key is to focus on operationalizing this modern approach. This means integrating vulnerability management into your development lifecycle, automating assessment and prioritization workflows, and building feedback loops that continuously improve your risk assessment accuracy. It means breaking down silos between security, operations, and development teams to create a unified approach to risk management.
Conclusion
The future of vulnerability management isn't about patching everything – it's about patching the right things at the right time. Organizations that continue to rely solely on CVSS base scores will find themselves increasingly vulnerable in an evolving threat landscape. The choice is clear: evolve your approach or accept unnecessary risk.
Remember, security is not about checking boxes or following outdated playbooks. It's about making informed decisions based on real-world context and actual risk. The death of traditional vulnerability management isn't just inevitable – it's necessary for our industry's evolution. Those who embrace this change will not only improve their security posture but will also deliver more value to their businesses through more efficient and effective risk management.
