CISA: 3 Steps to Improve Cybersecurity Vulnerability Management

November 14, 2022 - New cybersecurity vulnerabilities are a constant challenge for organizations of all sizes, Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA) wrote in a recent blog post.

The information may be useful for the healthcare sector, an industry that is known to face challenges with device security and managing ever-changing cyber threats. In addition, the sector is an appealing target to threat actors, who often go after unpatched vulnerabilities to exploit victims.

“Organizations with mature vulnerability management programs seek more efficient ways to triage and prioritize efforts. Smaller organizations struggle with understanding where to start and how to allocate limited resources,” Goldstein wrote.

“Fortunately, there is a path toward more efficient, automated, prioritized vulnerability management.”

The agency suggested three “critical steps” aimed at advancing and streamlining the vulnerability management ecosystem. First, the blog post emphasized the need for automation within vulnerability management programs in order to keep pace with the current cyber threat landscape.

“Software vendors work constantly to understand if their products are impacted by a new vulnerability,” Goldstein reasoned.

“To meet this timeframe, our community needs a standardized approach for vendors to disclose security vulnerabilities to end users in an accelerated and automated way.”

As a potential solution, CISA directed critical infrastructure organizations to the OASIS Common Security Advisory Framework (CSAF). CSAF delivers a standardized format for vulnerability advisory information. Using CSAF, vendors can “dramatically reduce the time required for enterprises to understand organizational impact and drive timely remediation,” CISA suggested.

Second, Goldstein championed the adoption of Vulnerability Exploitability eXchange (VEX), which allows vendors to clarify whether certain vulnerabilities impact their products.

“To help reduce effort spent by users investigating vulnerabilities, vendors can issue a VEX advisory that states whether a product is or is not affected by a specific vulnerability in a machine readable, automated way,” the blog post stated.

“VEX is implemented as a profile in CSAF and is one of its more popular use cases, aligning with the existing work supporting machine-readable advisories.”

VEX data may also be useful in supporting more effective use of software bill of materials (SBOM) data because WEX documents support linking to an SBOM.

Lastly, CISA encouraged every organization to prioritize vulnerability management resources via frameworks like the Stakeholder Specific Vulnerability Categorization (SSVC), which prioritizes a vulnerability based on its exploitation status.

While the vulnerability management process might look different for the healthcare sector, it is imperative that all key stakeholders address vulnerabilities in a timely manner and establish efficient processes for vulnerability management.