TLDR:
- Monitoring the Known Exploited Vulnerabilities (KEV) list can help security teams prioritize patching.
- Silent changes to already-documented flaws can indicate shifts in severity.
Organizations using the KEV catalog to prioritize patching should pay attention to silent changes in the list that could signal shifts in a vulnerability’s severity. The catalog, managed by the Cybersecurity and Infrastructure Security Agency (CISA), tracks vulnerabilities known to have been exploited in the wild. While the list does not rank the severity of issues, specific changes such as shorter remediation times and updates on ransomware status can provide valuable information for security teams. Glenn Thorpe of GreyNoise Intelligence emphasizes the importance of monitoring these changes, as they can help organizations focus on critical vulnerabilities.
The KEV catalog has evolved over the years, with a surge in exploited vulnerabilities during the Russia-Ukraine conflict and changes in CISA’s policies on prioritizing vulnerabilities. Thorpe notes that large software platforms like Microsoft, Apple, Cisco, Adobe, and Google are often targeted by cyberattackers, highlighting the need for organizations to patch vulnerabilities promptly. Additionally, changes in how CISA handles KEV-catalog announcements, such as setting shorter remediation deadlines and Friday updates, can provide insights into the agency’s priorities.
Security teams should pay close attention to updates in the KEV list, especially changes to ransomware usage flags, due dates for fixing vulnerabilities, and policy changes inferred from how CISA updates the catalog. By staying vigilant and monitoring these key elements, organizations can effectively prioritize patching efforts and enhance their overall security posture.