NVD Revamps Operations to Tackle Growing Backlog of Vulnerabilities

Article Highlights
Off On

The National Vulnerability Database (NVD) team at the US National Institute of Standards and Technology (NIST) has faced significant operational challenges over the past year. Periods of internal disruption, coupled with an overwhelming surge in reported vulnerabilities, have created a substantial backlog, stressing NVD’s capacity to manage and process vulnerability data efficiently. Although staffing issues have been addressed, the backlog remains a growing concern. NVD leaders Tanya Brewer and Matthew Scholl shared valuable insights into the current state and future direction of the NVD’s operations during their presentation at VulnCon, a conference dedicated to vulnerability management.

Overcoming Operational Challenges

Internal Stabilization

The NVD’s operations had been significantly disrupted due to the early termination of a crucial supporting contract early this year. This abrupt end led to a temporary suspension in the processing of vulnerabilities, causing a notable decline in activity from March to May. Facing these challenges head-on, the NVD extended a commercial contract with an external consultancy to recover its operational momentum. Through these efforts, the NVD successfully recruited and onboarded a new team, restoring processing capabilities by August. Achieving productivity levels reminiscent of pre-disruption rates, the new team was instrumental in regaining operational stability, which was vital for returning to normal processing activities.

Despite this stabilization, the NVD encountered an unprecedented surge in vulnerability submissions. This surge was partly fueled by an increase in the publication of Common Vulnerabilities and Exposures (CVEs). The escalating submission rates stretched the NVD’s resources thin, demanding strategic adjustments to manage the influx of new reports. Brewer and Scholl acknowledged the need to enhance operational protocols and continue training initiatives, ensuring that new personnel were well-equipped to handle the increasing workload. The emphasis was placed on maintaining high productivity while striving for efficiency to avoid future backlogs and ensure timely processing of vulnerabilities.

Surge in Vulnerability Reporting

The surge in reported vulnerabilities has been remarkable, reflecting the dynamic and continually evolving cybersecurity landscape. The number of unprocessed CVEs dramatically escalated from 17,000 in August to 25,000 by March of the following year, underscoring the pressing need for strategic adjustments. Brewer highlighted that despite recovery in operational capacity, the submission inflow significantly outpaced the current processing rates, fueling the growing backlog.

To cope with this influx, the NVD has adopted various strategies, primarily revolving around automation and improved data management practices. Brewer and Scholl emphasized that the pressing needs have made it critical to integrate advanced technologies to streamline operations. The surge has compelled the team to refine prioritization tactics, focusing resources on newer vulnerabilities to optimize processing efficiency. By enhancing operational protocols and prioritizing certain CVEs, the NVD aims to gradually mitigate the backlog, ensuring a structured and efficient approach to vulnerability management.

Embracing Technology

Automation and AI Integration

In response to the overwhelming backlog of reported vulnerabilities, the NVD is increasingly focusing on automation and AI-powered tools as pivotal elements of its strategy. Brewer and Scholl outlined the significant role that machine learning algorithms play in streamlining data analysis and management tasks. By leveraging these technologies, the NVD can substantially reduce manual workload and enhance overall processing efficiency. These AI-powered methods are especially adept at handling routine data processing tasks, allowing human resources to concentrate on more intricate aspects of vulnerability analysis.

One particular area of interest is the development of automated processes for generating Common Platform Enumeration (CPE) data. Chris Turner from the NVD team has been instrumental in advancing these tools, and his efforts are aimed at alleviating the burden of manual CPE data administration. CPE data is vital for identifying and describing IT products, ranging from software applications to operating systems and hardware, making efficient handling critical for accuracy and effectiveness. Integration of machine learning into these processes promises significant gains in efficiency and accuracy, addressing a core aspect of the NVD’s operational challenges.

Specific Technological Initiatives

In another technological endeavor, Brewer and Scholl revealed the ongoing efforts to devise automated processes specifically targeting Linux kernel CVE data. Given the structured and consistent formatting of these entries, automation can significantly enhance processing efficiency. The use of AI in selecting pertinent Common Weaknesses Enumeration (CWE) entries and determining the Common Vulnerability Scoring System (CVSS) severity scores also streamlines these particular tasks, marking a leap forward in operational capability and accuracy. The integration of these advanced tools underscores the NVD’s commitment to embracing technology to resolve operational challenges. With Chris Turner’s leadership, efforts to innovate and automate vulnerability management processes continue, aiming for substantially improved efficiencies and streamlined workflows. Brewer emphasized that maintaining pace with the fast-evolving cybersecurity landscape necessitates continuous investment in technological advancements, ensuring the NVD remains at the forefront of vulnerability management.

Strategic Adjustments

Prioritizing Newer Vulnerabilities

In response to resource constraints and an escalating backlog, the NVD has strategically shifted focus to more recent CVEs, deferring the enrichment of vulnerabilities reported before 2018 unless critical updates are necessary. This prioritization strategy is designed to optimize resource allocation and improve overall processing efficiency. Brewer pointed out that concentrating efforts on newer CVEs tends to yield more relevant and impactful results, considering the swift evolution of IT products and emerging threats.

This policy shift represents a significant adjustment in the NVD’s operations, marking a departure from the previously uniform approach to vulnerability management. By allocating resources to address more recent vulnerabilities, the NVD aims to not only mitigate the current backlog but also establish a proactive stance towards future submissions. Matthew Scholl highlighted that this strategic prioritization is expected to streamline workflows, ensuring that the most pressing vulnerabilities receive prompt attention, thereby enhancing overall efficacy and response times.

Temporary Gap-filling Strategy

Faced with the need for expedient processing, the NVD has adopted a temporary gap-filling strategy for post-2018 CVEs by prioritizing enrichment data from CVE Numbering Authorities (CNAs). This approach aims to accelerate the processing pipeline, utilizing available third-party data to augment internal workflows. While labeled as a temporary measure, Brewer acknowledged that it might become a permanent strategy, contingent on the reliability and completeness of CNA-provided records.

This gap-filling strategy marks another significant operational shift, highlighting the importance of leveraging external resources to optimize efficiency. By relying on enriched data from CNAs, the NVD hopes to address the backlog more effectively, ensuring that newer submissions are processed with improved speed and accuracy. Scholl indicated that this approach aligns with broader efforts to enhance operational capacity, emphasizing the potential for collaboration with external entities to support comprehensive vulnerability management.

Community Engagement

Informal Channels Over Consortium

While the NVD had previously explored creating a formal consortium through a Cooperative Research and Development Agreement (CRADA), this effort was ultimately abandoned due to administrative burdens. Instead, Brewer and Scholl emphasize the importance of sustaining informal yet impactful interactions with the vulnerability management community and the private sector. They recognize that maintaining informal and adaptable channels of communication is crucial for keeping pace with the dynamic landscape of vulnerability reporting.

The decision to forgo a formal consortium in favor of informal interaction underscores the value of flexible and direct community engagement. Brewer highlighted that informal channels allow for more agile and responsive communication, fostering deeper connections with industry professionals and enabling ongoing collaboration. These interactions are essential to address the growing backlog and enhance the NVD’s functions, ensuring effective vulnerability management through collective efforts and shared knowledge.

Calls for Enhanced Transparency

Despite these efforts to engage with the community, some experts have voiced concerns about the transparency and frequency of communication from the NVD. Criticisms have highlighted a perceived missed opportunity to engage more deeply with the community during short conference sessions, suggesting a need for more extensive, accessible communication channels. Brewer and Scholl acknowledged the importance of transparency and committed to improving the frequency and depth of their communication with the community.

This call for enhanced transparency reflects a broader consensus on the need for greater openness in the NVD’s operations. By fostering more accessible communication channels, the NVD can facilitate deeper engagement with the community, addressing concerns and ensuring that stakeholders are well-informed. Brewer emphasized that ongoing efforts to enhance transparency are vital for building trust and collaboration, supporting the broader goals of comprehensive and effective vulnerability management.

Diversifying Data Sources

Recommendations from Security Experts

In light of the backlog and processing challenges at the NVD, security experts recommend diversifying vulnerability data sources. This approach involves leveraging multiple platforms such as CVE.org, vendor advisories, and repositories like ExploitDB. Diversifying data sources can enrich vulnerability knowledge and address potential gaps in the NVD’s data, ensuring a more comprehensive understanding of the security landscape.

Matt Scholl supports the idea of a diversified approach, highlighting the benefits of different entities contributing valuable data. This stance aligns with ongoing efforts to tackle the increasing volume of reported vulnerabilities and adapt effectively to evolving cybersecurity threats. Brewer emphasized that the contributions from various platforms and entities are crucial for enhancing the NVD’s capabilities, enabling a more robust and enriched vulnerability management process.

Strategic Alignments

Aligning with the recommendations from security experts, Brewer and Scholl outlined the strategic importance of diversifying data sources. By adopting a diversified approach, the NVD aims to mitigate challenges associated with the backlog and enhance operational capacity. Scholl highlighted the benefits of collaborative efforts, emphasizing that contributions from different data platforms bolster the security community’s understanding and management of vulnerabilities.

This strategic alignment underscores the NVD’s commitment to innovation and adaptation in vulnerability management. By embracing diverse data sources, the NVD can effectively address the growing influx of reported vulnerabilities, ensuring timely and accurate processing. Brewer emphasized that continuous collaboration with industry professionals and leveraging external data sources are pivotal for sustaining the NVD’s functions and enhancing overall efficacy.

Conclusion

The National Vulnerability Database (NVD) team at the US National Institute of Standards and Technology (NIST) has encountered substantial operational challenges over the past year. This team has grappled with periods of internal disruptions compounded by a sharp increase in reported vulnerabilities. This surge has led to a significant backlog, straining NVD’s ability to manage and process data related to these vulnerabilities efficiently.

Even though staffing issues have been addressed, the backlog continues to be a growing concern, highlighting the persistent pressure on the team. During VulnCon, a conference dedicated to vulnerability management, NVD leaders Tanya Brewer and Matthew Scholl presented valuable insights regarding the current state and future direction of NVD’s operations. They discussed the strategies being employed to overcome these challenges and improve the efficiency of the vulnerability data processing system. Their insights included details on how the NVD team plans to leverage advanced technologies and streamline processes to better handle the increasing volume of vulnerability information. Brewer and Scholl emphasized the importance of adopting innovative solutions and improving collaboration within the team to enhance data management capabilities. As NVD prepares for the future, its leaders remain committed to mitigating existing issues and ensuring that the database remains an essential tool for cybersecurity.

Explore more

Creating Gen Z-Friendly Workplaces for Engagement and Retention

The modern workplace is evolving at an unprecedented pace, driven significantly by the aspirations and values of Generation Z. Born into a world rich with digital technology, these individuals have developed unique expectations for their professional environments, diverging significantly from those of previous generations. As this cohort continues to enter the workforce in increasing numbers, companies are faced with the

Unbossing: Navigating Risks of Flat Organizational Structures

The tech industry is abuzz with the trend of unbossing, where companies adopt flat organizational structures to boost innovation. This shift entails minimizing management layers to increase efficiency, a strategy pursued by major players like Meta, Salesforce, and Microsoft. While this methodology promises agility and empowerment, it also brings a significant risk: the potential disengagement of employees. Managerial engagement has

How Is AI Changing the Hiring Process?

As digital demand intensifies in today’s job market, countless candidates find themselves trapped in a cycle of applying to jobs without ever hearing back. This frustration often stems from AI-powered recruitment systems that automatically filter out résumés before they reach human recruiters. These automated processes, known as Applicant Tracking Systems (ATS), utilize keyword matching to determine candidate eligibility. However, this

Accor’s Digital Shift: AI-Driven Hospitality Innovation

In an era where technological integration is rapidly transforming industries, Accor has embarked on a significant digital transformation under the guidance of Alix Boulnois, the Chief Commercial, Digital, and Tech Officer. This transformation is not only redefining the hospitality landscape but also setting new benchmarks in how guest experiences, operational efficiencies, and loyalty frameworks are managed. Accor’s approach involves a

CAF Advances with SAP S/4HANA Cloud for Sustainable Growth

CAF, a leader in urban rail and bus systems, is undergoing a significant digital transformation by migrating to SAP S/4HANA Cloud Private Edition. This move marks a defining point for the company as it shifts from an on-premises customized environment to a standardized, cloud-based framework. Strategically positioned in Beasain, Spain, CAF has successfully woven SAP solutions into its core business