{"id":5953,"date":"2025-05-18T05:26:04","date_gmt":"2025-05-17T21:26:04","guid":{"rendered":"https:\/\/cicserver.com\/mitres-near-miss-lessons-learned-for-security-and-vulnerability-management\/"},"modified":"2025-05-18T05:26:04","modified_gmt":"2025-05-17T21:26:04","slug":"mitres-near-miss-lessons-learned-for-security-and-vulnerability-management","status":"publish","type":"post","link":"https:\/\/cicserver.com\/de\/mitres-near-miss-lessons-learned-for-security-and-vulnerability-management\/","title":{"rendered":"MITRE\u2019s near miss: Lessons learned for security and vulnerability management"},"content":{"rendered":"<p><br \/>\n<br \/><img decoding=\"async\" src=\"https:\/\/cdn.mos.cms.futurecdn.net\/VVS9D2JytWW9HqM85Pyspm.jpg\" \/><\/p>\n<div id=\"article-body\">\n<p>In April, the MITRE Corporation&#8217;s Common Vulnerabilities and Exposures (CVEs) database was <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.itpro.com\/security\/confusion-and-frustration-mitre-cve-oversight-ends-federal-contract-expiry\" data-before-rewrite-localise=\"https:\/\/www.itpro.com\/security\/confusion-and-frustration-mitre-cve-oversight-ends-federal-contract-expiry\"><u>handed a last minute reprieve<\/u><\/a> amid concerns over funding from the U.S. government.<\/p>\n<p>It had been a long and stressful day, with the security industry wondering whether MITRE\u2019s database would be able to operate. This could have left many firms without a way to track security flaws and ensure patches are prioritized and applied to systems in a timely manner.<\/p>\n<aside data-block-type=\"embed\" data-render-type=\"fte\" data-skip=\"dealsy\" data-widget-type=\"seasonal\" class=\"hawk-base\"\/>\n<p>The issue was so worrying that one group of experts quickly announced a new alternative to MITRE\u2019s database, the <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.thecvefoundation.org\/\" target=\"_blank\" data-url=\"https:\/\/www.thecvefoundation.org\/\" referrerpolicy=\"no-referrer-when-downgrade\" data-hl-processed=\"none\"><u>CVE Foundation<\/u><\/a>. The coalition of longtime, active CVE Board members said it had spent the past year developing a strategy to transition to a dedicated, non-profit foundation.<\/p>\n<p>But before the day ended, the US <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.itpro.com\/security\/what-is-cisa\" data-before-rewrite-localise=\"https:\/\/www.itpro.com\/security\/what-is-cisa\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> issued a statement saying it had, in fact, secured funding for MITRE for the following 11 months.<\/p>\n<p>Now, the agency denies that funding was ever a problem. In its <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.cisa.gov\/news-events\/news\/statement-matt-hartman-cve-program\" target=\"_blank\" data-url=\"https:\/\/www.cisa.gov\/news-events\/news\/statement-matt-hartman-cve-program\" referrerpolicy=\"no-referrer-when-downgrade\" data-hl-processed=\"none\"><u>latest statement<\/u><\/a>, CISA said the MITRE database expiration was due to an issue with \u201ccontract administration\u201d rather than funding. CISA confirmed there was no interruption to the CVE program and said it remains committed to improving the database.<\/p>\n<p>While many firms across the world are relieved, the uncertainty has highlighted the issues with relying on a single source for referencing security flaws. So, what lessons can be learned from the near-miss and how can firms safeguard themselves for the future?<\/p>\n<h2 id=\"cve-tracking-issues-3\">CVE tracking issues <\/h2>\n<p>The CVE program is maintained by MITRE and widely adopted in all areas of cybersecurity, including tooling, research and testing, and is used by security operations centers and defensive teams. It is relied upon for sharing information on new <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.itpro.com\/security\/zero-day-exploits-how-risky-are-they-for-businesses\" data-before-rewrite-localise=\"https:\/\/www.itpro.com\/security\/zero-day-exploits-how-risky-are-they-for-businesses\"><u>security vulnerabilities<\/u><\/a>, ensuring there is one source of truth for referencing a vulnerability.<\/p>\n<div id=\"slice-container-newsletterForm-articleInbodyContent-mn4MvhPS7dcm9J2w2UcuzC\" class=\"slice-container newsletter-inbodyContent-slice newsletterForm-articleInbodyContent-mn4MvhPS7dcm9J2w2UcuzC slice-container-newsletterForm\">\n<div data-hydrate=\"true\" class=\"newsletter-form__wrapper newsletter-form__wrapper--inbodyContent\">\n<div class=\"newsletter-form__container\">\n<section class=\"newsletter-form__top-bar\"\/>\n<section class=\"newsletter-form__main-section\">\n<p class=\"newsletter-form__strapline\">Sign up today and you will receive a free copy of our Future Focus 2025 report &#8211; the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives<\/p>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<p>Managing vulnerabilities is complex, not least because of the volume being discovered. In 2024, <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.cve.org\/about\/Metrics\" target=\"_blank\" data-url=\"https:\/\/www.cve.org\/about\/Metrics\" referrerpolicy=\"no-referrer-when-downgrade\" data-hl-processed=\"none\"><u>roughly 40,000 CVEs<\/u><\/a> were assigned, and it\u2019s likely that over 50,000 will be recorded in 2025.<\/p>\n<p>\u201cFor vulnerability data to be quick, comparable and actionable, the industry needs a standardized process,\u201d says Richard Werner, cyber security platform lead, Europe at Trend Micro. \u201cWithout it, we could face significant delays in the communication and dissemination of vulnerable information. Security tools such as vulnerability scanners may become less reliable, and organizations could face growing gaps in the defence of their IT systems.\u201d<\/p>\n<p>CISA\u2019s funding for the CVE program lasts just 11 months, after which it will once again be up for renewal. In the scenario that the CVE database is then lost due to lack of funding, the security industry will be \u201cslower at retaliating when attacked and worse at proactively holding the threats at bay,\u201d says Simon Jonker, director of security analytics at CSIS Security Group.<\/p>\n<h2 id=\"the-risks-of-relying-on-one-source-3\">The risks of relying on one source <\/h2>\n<p>CISA\u2019s last minute reprieve was welcome but the incident has also shown that relying on one database for vulnerability enrichment data is \u201crisky,\u201d says Sylvain Cortes, VP strategy, Hackuity. \u201cThe moment that one database becomes unreliable or unavailable, security teams are essentially just left with a list of unhelpful, raw CVE IDs that lack the crucial details to make them useful to defenders.\u201d<\/p>\n<p>This is a serious issue for those in charge of <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.itpro.com\/security\/27713\/the-importance-and-benefits-of-effective-patch-management\" data-before-rewrite-localise=\"https:\/\/www.itpro.com\/security\/27713\/the-importance-and-benefits-of-effective-patch-management\"><u>vulnerability management<\/u><\/a> and leaves the business open to elevated cyber risk, Cortes says.<\/p>\n<p>It is a problem that funding for such a \u201ccritical and globally used standard\u201d is \u201clargely tied to one source,\u201d agrees Andy Swift, cybersecurity assurance technical director at Six Degrees. \u201cIn many ways, a single source of major funding is perhaps its biggest vulnerability in itself.\u201d<\/p>\n<p>This is a core reason for the establishment of the new CVE Foundation, with a stated goal to \u201csupport the transition of the CVE Program from a single funding stream to a diversified funding model\u201d, which \u201cneeds to exist outside of sole governmental control.\u201d<\/p>\n<p>\u201cRight now, this is exactly what is needed to remove any fragility in the current setup\u2019\u201d Swift says.<\/p>\n<p>While this may be a good idea in theory, nothing can currently take the place of the CVE database. Other options such as <a data-analytics-id=\"inline-link\" href=\"https:\/\/vuldb.com\/\" target=\"_blank\" data-url=\"https:\/\/vuldb.com\/\" referrerpolicy=\"no-referrer-when-downgrade\" data-hl-processed=\"none\"><u>VulnDB<\/u><\/a> and <a data-analytics-id=\"inline-link\" href=\"https:\/\/osv.dev\/\" target=\"_blank\" data-url=\"https:\/\/osv.dev\/\" referrerpolicy=\"no-referrer-when-downgrade\" data-hl-processed=\"none\"><u>OSV<\/u><\/a> are useful, yet they are not as comprehensive as the CVE database, says Thomas Richards, infrastructure security practice director at Black Duck.<\/p>\n<p>\u201cSome are commercial and require a license, while others focus just on open source software,\u201d Swift points out. \u201cWhat makes the CVE program and MITRE unique is, it tracks all software and is open for others to use. It will be interesting to see how they build a more decentralized model.\u201d<\/p>\n<p><iframe allow=\"\" height=\"200px\" width=\"100%\" data-lazy-priority=\"low\" data-lazy-src=\"https:\/\/player.captivate.fm\/episode\/085cb084-22ca-44af-8162-059d36a4d754\"><\/iframe><\/p>\n<h2 id=\"safeguarding-your-business-amid-global-uncertainty-3\">Safeguarding your business amid global uncertainty <\/h2>\n<p>Global uncertainty is a matter of fact, so it\u2019s a good idea to safeguard your business for any future changes to the MITRE CVE program. With this in mind, make sure the providers you use for vulnerability management have redundancy in where they collect the information about new exploits \u2013 not relying solely on the CVE database, says Jonker.<\/p>\n<p>Cortes suggests investing in \u201ca high-quality, enriched CVE feed from a trusted provider, to ensure they have constant access to enriched analysis of vulnerabilities.\u201d<\/p>\n<p>When working with and mitigating exploits, make sure to gauge the observed active exploitation, says Jonker. \u201cIf they are widely-exploited by the time of mitigation \u2013 make sure to look for indicators of compromise in the infrastructure before patching. Otherwise, you might end up closing the door, with the attacker already inside.\u201d<\/p>\n<p>Businesses must implement ongoing processes to find and assess vulnerabilities, says Werner. \u201cThis is not a one-time effort; it requires continuous monitoring and adaptation. While many organizations rely on severity scores such as CVSS, they should also evaluate the real-world impact of vulnerabilities.\u201d<\/p>\n<p>Tracking active exploitation is \u201ccritical, says Werner. \u201cAnd <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.itpro.com\/security\/patch-management-why-firms-ignore-vulnerabilities-at-their-own-risk\" data-before-rewrite-localise=\"https:\/\/www.itpro.com\/security\/patch-management-why-firms-ignore-vulnerabilities-at-their-own-risk\"><u>because patching<\/u><\/a> every vulnerability is rarely feasible, organizations, especially those operating in high-risk environments, should consider complementary technologies such as intrusion prevention systems to reduce exposure.\u201d<\/p>\n<p>Overarching this, experts advise to keep talking to your vendors and look out for any changes that could impact you. Vulnerability management software tends to use other sources besides CVE to supplement the data, but the loss of CVE would be \u201clike the foundation of a house disappearing,\u201d says Richards. \u201cFirms should be asking their vendors how they are reacting to the uncertainty and also keep an eye on any changes MITRE makes to make sure the CVE program continues.\u201d<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In April, the MITRE Corporation&#8217;s Common Vulnerabilities and Exposures (CVEs) database was handed a last minute reprieve amid concerns over funding from the U.S. government. It had been a long and stressful day, with the security industry wondering whether MITRE\u2019s database would be able to operate. This could have left many firms without a way [&hellip;]<\/p>","protected":false},"author":3,"featured_media":5954,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-5953","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blog"},"_links":{"self":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/5953","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/comments?post=5953"}],"version-history":[{"count":0,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/5953\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media\/5954"}],"wp:attachment":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media?parent=5953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/categories?post=5953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/tags?post=5953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}