
SOC teams are familiar with the dilemma:How can they secure a seemingly infinite number of digital assets and vulnerabilities using the finite amount of security resources at their disposal? Prioritization is the answer. By directing their energies primarily at exploitable vulnerabilities - those that constitute a proven path for malicious actors to infiltrate networks and assets - organizations can close off the threats that represent a real and present danger.
What are Common Vulnerabilities and Exposures (CVEs)?
In cybersecurity’s early days, a lack of standardization gave attackers an upper hand. Different organizations used their own distinct methods to identify and name the vulnerabilities they discovered, which made it difficult to track and address them effectively. Without a common language, it was challenging to share information about threats and safeguards.
Then, in 1999, the US not-for-profit MITRE established the Common Vulnerabilities and Exposures (CVE) system. This standardized the way vulnerabilities were identified and tracked, greatly improving communication and collaboration among cybersecurity researchers and vendors. Each specific vulnerability was given a unique identifier and recorded in a public registry.
CVEs were quickly endorsed by the cybersecurity community, with various products and services opting to include CVE IDs in their security alerts. To this day, the CVE program continues to grow, with more and more organizations choosing to sign up as CVE Numbering Authorities (CNAs).
Theoretical threats versus exploitable vulnerabilities
While CVEs have proven themselves to be a significant help against a growing number of cyberattacks, organizations shouldn’t make the mistake of thinking that CVEs represent the only vulnerabilities worth considering. On the contrary, while the CVE program may be useful as a knowledge base, security teams should also consider other sources of information.
The primary reason why the directory of CVEs shouldn’t serve as your only guiding post for security teams is that many of the listed vulnerabilities cannot be exploited in the wild. Many are theoretical threats - they are potentially serious issues, but currently, there is no evidence that they are being exploited by malicious actors. Fortunately, each CVE is accompanied by a CVSS (Common Vulnerability Scoring System) score to indicate how serious the vulnerability is.
What are Known Exploited Vulnerabilities (KEVs)?
Instead of focusing solely on CVEs, there is a list of exploitable exposures available, which records those that are actively being targeted by threat actors. Unlike CVEs, Known Exploited Vulnerabilities (KEVs) have been confirmed as being utilized in real-world attacks. They are immediate threats, not potential ones.
Created by the Cybersecurity and Infrastructure Security Agency (CISA), the Known Exploited Vulnerabilities Catalog is a public registry listing all known KEVs, accompanied by detailed information, including affected software, remediation efforts, and CVE IDs. As with the CVE registry, the KEV catalog is a dynamic resource, continually being updated as new exploits are identified.
While both the CVE and KEV lists help cybersecurity professionals in identifying and tracking threats, they differ in their scope and urgency. The CVE program lists all known vulnerabilities, whatever the platform and regardless of whether they are being used in real-world exploits or not. The KEV list, on the other hand, has a narrower focus, covering just those vulnerabilities that have been exploited by hackers.
Speed is crucial when dealing with a KEV and data shows that this is clearly understood by security personnel, with the average time to patch vulnerabilities listed in the KEV catalog being 3.5 times faster than it is for non-KEV vulnerabilities. Even so, the dynamic nature of the KEV list means that even once a security flaw is patched, the KEV catalog may quickly throw up another. For instance, the CISA added 185 new vulnerabilities to its KEV catalog last year. The threat landscape never stands still.
Finding focus amid the noise
The sheer number of cyber threats facing businesses means that enabling security teams to focus on the vulnerabilities that really matter is key. In 2023, nearly 30,000 CVEs were added. In 2024, the figure had risen to over 40,000. New digital assets are constantly being added to corporate networks. Malicious actors are constantly looking for exploits - for assets old and new.
Because the number of threats faced by businesses is growing all the time (and shows no sign of slowing), it’s best for Security Operations Center (SOC) teams to direct their resources towards the vulnerabilities that could have an immediate business impact. A good place to start is to focus on the KEV list to see the exploitable vulnerabilities that are already being targeted in the wild.
Offensive security solutions can also provide a focus for SOC teams, but only if they are effective at identifying the risks that are likely to have a genuine business impact. Many security tools generate a large proportion of false positives, which can be a significant drain on company resources. As evidence, research indicates that security teams can spend as much as 25% of their time investigating false positives. When this is the case, security solutions don’t add focus; they just add noise.
Alongside effective security tools, vulnerability repositories, like the CVE and KEV programs, can be a great way of allowing security teams to work more efficiently. For a fully comprehensive defense, be sure to engage with both lists but remember to prioritize your remediation efforts. Only the KEV list contains exploitable vulnerabilities - those that should be patched as soon as possible.
SOCteams don’t have to rely solely on the KEV list for prioritization, however. Offensive Cybersecurity solutions, such as Hadrian, automatically contextualize every threat, so businesses can see clearly where risks exist and their severity. This allows organizations to commit the right amount of resources to the exploitable vulnerabilities that could do real damage. By combining automated penetration testing with a hacker's perspective, security teams can make the most of their limited time and resources.
Keep up-to-date with exploitable vulnerabilities. Let your security team focus on having genuine impact. Block out the noise. Block the real threats targeting your corporate network.