Does CISAs KEV Catalog Speed Up Remediation?

  /     /     /  
Publicated : 23/11/2024   Category : security


Does CISAs KEV Catalog Speed Up Remediation?


Vulnerabilities added to the CISA known exploited vulnerability (KEV) list do indeed get patched faster, but not fast enough.



RSA CONFERENCE 2024 – San Francisco –
When the Cybersecurity and Infrastructure Security Agency first introduced the Known Exploited Vulnerabilities (KEV) list in 2021, the intent was to provide government agencies and enterprises with a heads up about the most risky threats out in the wild. Nearly three years later, research shows the KEV list is speeding up remediation times, but theres more work to be done.
Former Congressman Jim Langevin was behind the CISA Binding Operational Directive legislation 22-01 that created the KEV list, and explains to Dark Reading that the intent was to provide enterprises with the same information being shared with government agencies about which vulnerabilities posed the greatest risk, and should therefore be prioritized for remediation. Vulnerabilities added to the KEV list are required to the mitigated for the federal government, not so for enterprises.
In order for
a flaw to be added to the KEV list
, it must have an assigned CVE, be known to have been exploited in the wild, and have a remediation available. Deadlines imposed by CISA to remediate among federal agencies varies from one week to six months, with ransomware vulnerabilities being treated with the most urgency, according to data from a new report from Bitsight that wanted to evaluate whether the list is working effectively.
Bitsight reported that 35% organizations experienced a KEV in 2023 — 66% of which had more than one, 25% of which had more than five, and 10% of which had more than 10.
Among medium-severity vulnerabilities, there is almost no difference in remediation speed, the report said. However, the median
critical KEV
is remediated 2.6 times faster than a non-KEV counterpart, with high-severity KEVs remediated 1.8 times faster than non-KEVs.
Langevin is encouraged by the uptick in remediation timelines, however, many organizations are still struggling. Bugs that are being used in ransomware campaigns appear to get top priority for remediation among enterprise teams, the data showed.
If we average out the relative drops, ransomware KEVs are fixed 2.5x faster (on average) than KEVs not known to be used in ransomware, the report added.
Meanwhile, non-profits and NGOs are the slowest to remediate, while tech companies and insurance and financial firms win the speed race.
Federal agencies also often struggle to meet stated CISA deadlines, but remediate a full 65% faster than all other sectors, Bitsight found. About 40% of vulnerabilities on the KEV list get fixed by the deadline, the
report
added.
To get faster, its necessary for enterprises to stand up an effective
vulnerability management system
at the corporate level, gather context about the threat using the
KEV list
and other sources. Importantly, the Bitsight researchers urge organizations focus on measuring remediation rates with accountability for moving too slowly.
At its most fundamental, Langevin views the KEV list as an information source to provide context around the threat landscape.
Bitsights VP of government affairs Jake Olcott adds the KEV list should help teams identify which bugs should be elevated to the highest levels of the business.
KEVs are exactly the kind of vulns that should be discussed at the board level, Olcott explains to Dark Reading. It helps articulate not just the cyber risk, but the business risk.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Does CISAs KEV Catalog Speed Up Remediation?