The National Vulnerability Database (NVD) Crisis: Defend Against Unpatched Vulnerabilities
Update on the National Vulnerability Database (NVD) Crisis and urgent need for virtual patching alternatives to cover the gap
Posted: Tuesday, Aug 06
  • KBI.Media
  • $
  • The National Vulnerability Database (NVD) Crisis: Defend Against Unpatched Vulnerabilities
The National Vulnerability Database (NVD) Crisis: Defend Against Unpatched Vulnerabilities

National Vulnerability Database Crisis: Defend Against Unpatched Vulnerabilities

The NVD Crisis: Gaps and Delays in Vulnerability Analysis

Since February 12th, 2024, the NVD has nearly halted its analysis of published Common Vulnerabilities and Exposures (CVEs), resulting in a staggering 42% of CVEs lacking critical metadata such as severityย (CVSS)ย scores and affected product information, withย thousands ofย vulnerabilities receivingย theย status โ€œAWAITING ANALYSISโ€.ย As of March 11th, the NVDย listingย contains over 2,400ย entries that have not been enriched.ย NIST hasnโ€™t provided specific reasoning for this halt of analysis, hinting to process improvement enhancements, and referring to the creation of an unspecified โ€œconsortiumโ€.ย 

 

NIST-NotificationAย notification appearingย on NVD listings for fromย February 12thย onwards (source:ย NIST)

 

This absence of timely analysis data poses significant risks to organizations that rely on NVD for vulnerability prioritization and remediation.ย 

Without up-to-date severity scores and affected product details, organizations are left in the dark about the potential impact and urgency of newly discovered vulnerabilities. This lack of information hinders their ability to make informed decisions about patch management and risk mitigation strategies, ultimately increasing their attack surface and exposing them to potential breaches.ย 

Chart displaying the uptick in analyzed CVEs relative to the amount of Published CVEs.Comparisonย betweenย #ย ofย published CVEs (green)ย andย #ย of analyzed CVEs (red). Analysis has noticeably halted since mid-Februaryย (source:ย Anchore.com)

 

Morphisec’sย Automated Moving Target Defense: Proactive Protection Against Unpatched Vulnerabilities

Morphisec’sย Automated Moving Target Defense (AMTD)ย technology offers a powerful solution to bridge the gap created by the NVD’s delayed analysis. AMTD proactively prevents attacks on unpatched operating systems and application vulnerabilities by continuously morphing the attack surface, making it impossible for attackers to exploit known vulnerabilities.ย 

Unlike traditional security solutions that rely on signature-based detection or behavioral analysis, AMTD operates at the memory level, randomizing and shifting the location of critical system components. This dynamic and unpredictable nature of AMTD renders attack vectors ineffective, as attackers cannot rely on static memory locations to execute their malicious code.ย 

By providing immediate protection against unpatched vulnerabilities, AMTD allows organizations to maintain a strong security posture even in the absence of timely NVD analysis data. This proactive defense mechanism buys time for organizations to prioritize and address vulnerabilities based on their own risk assessments and business requirements, rather than being solely dependent on external vulnerability databases.ย 

 

Virtual Patching: Extending Protection and Ensuring Compliance

In addition to AMTD, Morphisec’sย virtual patchingย capabilities further enhance an organization’s ability to mitigate risks associated with unpatched vulnerabilities. Virtual patching acts as a compensating control, providing interim protection until official vendor patches are released and deployed.ย 

Virtual patching is particularly crucial for end-of-life systems and applications that no longer receive vendor support or security updates. By implementing virtual patches, organizations can extend the life of these legacy systems without compromising their security posture or violating compliance requirements such as PCI DSS and HIPAA.ย 

Morphisec’s virtual patching solution is lightweight and easy to deploy, with minimal impact on system performance. It enables organizations to adhere to their planned patching schedules without the need for emergency patching or business disruptions. This flexibility allows IT teams to allocate their resources more effectively and focus on strategic initiatives rather than constantly firefighting vulnerabilities.ย 

 

Vulnerability Prioritization:ย Risk-drivenย Remediationย Recommendations to Streamline Patching Efforts

In parallel toย the compensatory controls and virtual patching provided by AMTD, Morphisecโ€™sย Vulnerability Prioritizationย helps to streamline patching efforts byย providingย risk-driven remediation recommendations tailored to business context, as well asย enriching CVEsย with EPSSย scoresย (Exploit Prediction Scoring System) andย CISA KEVย (Known Exploited Vulnerability)ย listing information.ย ย 

Application usage across organizations varies.ย Morphisecโ€™sย groups vulnerabilities according to businessย functions and assets (e.g. financial servers),ย hosts, applications, and maps actual usage.ย  Together with the enrichment by EPSSย and CISA KEV listing information,ย thisย enables security teams to prioritize patching effortsย according to multiple strategies,ย according to the actualย riskย of the organization, saving costlyย resources,ย andย achievingย anย effective reduction ofย theย actual exposure to vulnerabilities.ย ย ย ย ย ย 

 

Enriched CVE listing showing the EPSS percentile, CISA KEV listing, and impacted number of hosts and applications inside of Morphisec's interface.

Enriched CVE listing showing EPSS Percentile, CISA KEV listing, number of impacted hosts and applications (Source:ย Morphisec.com)ย 

Conclusion

The current gaps and delays in the National Vulnerability Database’s analysis data underscore the importance of proactive and adaptive vulnerability management. Morphisec’s Automated Moving Target Defense technology and virtual patching capabilities offer a comprehensive solution to address these challenges.ย 

By leveraging AMTD’s proactive protection, organizations can defend against unpatched vulnerabilities and maintain a strong security posture even in the absence of timely NVD data. Virtual patching extends this protection to end-of-life systems and ensures compliance with industry regulations.ย 

In an era where vulnerabilities are constantly evolving and the threat landscape is ever-expanding, Morphisec’s innovative solutions empower organizations to stay one step ahead of attackers. By adopting Morphisec’s Automated Moving Target Defense and virtual patching, organizations can proactively mitigate risks, ensure compliance, and maintain a robust security posture in the face of emerging threats.ย 

https://blog.morphisec.com/national-vulnerability-database-defend-unpatched-vulnerabilities

Share This