In the ever-evolving world of cybersecurity, quantifying risks and threats remains one of the biggest challenges for organizations. A recent thread by Jeremiah Grossman, a respected figure in the field, sheds light on the intersection of Common Vulnerabilities and Exposures (CVEs), Known Exploited Vulnerabilities (KEVs), and the data-driven decisions made by cyber insurance carriers. This blog unpacks the insights shared and explores their broader implications for cybersecurity.
The Numbers Behind CVEs and KEVs
Grossman reveals staggering figures: over 240,830 CVEs have been recorded, yet only 1,218 are designated as KEVs by the Cybersecurity and Infrastructure Security Agency (CISA). This means less than 0.5% of CVEs have ever been exploited in the wild. This distinction highlights a significant disparity between theoretical vulnerabilities and those with real-world consequences.
When examining CVEs with a severity score of 9.0 or higher, Grossman notes that only 2.37% overlap with the KEV list. This stark difference underscores the importance of prioritization in vulnerability management. Not all vulnerabilities demand the same level of attention, and organizations must focus on those most likely to be exploited.
Cyber Insurance Claims: A Data-Driven Perspective
Grossman’s discussions with cyber insurance carriers revealed another fascinating insight: fewer than 200 CVEs per year are associated with insurance claims. The overlap between KEVs and these claim-related CVEs is described as “not huge,” suggesting that even among known exploited vulnerabilities, not all lead to financial or operational damage significant enough to warrant an insurance claim.
This data-driven approach is critical for cyber insurers, who must refine their models to assess risk accurately. As Grossman points out, many carriers struggle with root cause analysis and forensics, often relying on incident response firms that deploy automated tools without delving into deeper investigation.
Implications for Organizations
- Prioritization is Key: The thread emphasizes the need for organizations to focus on actionable vulnerabilities. Tools like the Exploit Prediction Scoring System (EPSS) can help identify CVEs that are most likely to be exploited, enabling security teams to allocate resources effectively.
- Understanding KEVs: The KEV catalog, introduced by CISA in 2021, serves as a valuable resource. However, its scope is limited to vulnerabilities detected on a large scale by the U.S. government. Organizations should use it as a starting point but not the sole source for prioritization.
- Role of Cyber Insurance: Cyber insurance is becoming increasingly sophisticated, with policies tailored to address specific risks. However, organizations must ensure they are implementing robust security practices, as insurers are scrutinizing claims more closely and evolving their underwriting criteria.
- Beyond CVEs: Many incidents stem from misconfigurations, phishing, and social engineering rather than software vulnerabilities. This highlights the need for comprehensive security strategies that go beyond patch management.
Conclusion
Jeremiah Grossman’s thread provides a valuable lens through which to view the complex interplay between vulnerabilities, exploitability, and financial risk. For security professionals, the key takeaway is clear: focus on the vulnerabilities that matter most, leverage tools like KEV and EPSS for guidance, and adopt a holistic approach to cybersecurity that addresses both technical and human factors.
As the cybersecurity landscape continues to evolve, staying informed and agile is essential. By aligning efforts with data-driven insights, organizations can better navigate the challenges of protecting their digital assets.
— Afonso Infante
Leave a Reply