Adrian Johnson
TL;DR:
As the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) faces a backlog in processing vulnerabilities, attackers are changing tactics to exploit lesser-known vulnerabilities. The backlog is partially due to budget cuts, with 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities still waiting on analysis. NIST has a plan to address this backlog, but security teams need to adapt their strategies to prioritize exploitability, enhance visibility, share the security burden across departments, and leverage alternative resources.
Summary:
In a recent study, it was found that the NVD is struggling to process vulnerabilities efficiently, with a significant backlog in analysis. This backlog is a result of budget cuts and the sheer volume of reported vulnerabilities. Despite these challenges, NIST has a plan in place to clear the backlog with the help of a cybersecurity analysis contract.
However, attackers are not waiting for NIST to catch up. They are shifting their focus to exploit vulnerabilities that may not be as well-known or severe, as these are often overlooked by security teams. To stay ahead of attackers, security teams need to prioritize visibility, focus on exploitability, share the security burden across departments, and leverage alternative resources such as the CISA Vulnrichment program and the CVE Program.
While NIST aims to eliminate the backlog by September 2024, there are no guarantees of success. Enterprises must adapt their security strategies to align with the changing tactics of attackers and prioritize high-risk threats to effectively mitigate cyber risks.
