The National Vulnerability Database (NVD) team at the US National Institute of Standards and Technology (NIST) has faced significant operational challenges over the past year. Periods of internal disruption, coupled with an overwhelming surge in reported vulnerabilities, have created a substantial backlog, stressing NVD’s capacity to manage and process vulnerability data efficiently. Although staffing issues have been addressed, the backlog remains a growing concern. NVD leaders Tanya Brewer and Matthew Scholl shared valuable insights into the current state and future direction of the NVD’s operations during their presentation at VulnCon, a conference dedicated to vulnerability management.
Overcoming Operational Challenges
Internal Stabilization
The NVD’s operations had been significantly disrupted due to the early termination of a crucial supporting contract early this year. This abrupt end led to a temporary suspension in the processing of vulnerabilities, causing a notable decline in activity from March to May. Facing these challenges head-on, the NVD extended a commercial contract with an external consultancy to recover its operational momentum. Through these efforts, the NVD successfully recruited and onboarded a new team, restoring processing capabilities by August. Achieving productivity levels reminiscent of pre-disruption rates, the new team was instrumental in regaining operational stability, which was vital for returning to normal processing activities.
Despite this stabilization, the NVD encountered an unprecedented surge in vulnerability submissions. This surge was partly fueled by an increase in the publication of Common Vulnerabilities and Exposures (CVEs). The escalating submission rates stretched the NVD’s resources thin, demanding strategic adjustments to manage the influx of new reports. Brewer and Scholl acknowledged the need to enhance operational protocols and continue training initiatives, ensuring that new personnel were well-equipped to handle the increasing workload. The emphasis was placed on maintaining high productivity while striving for efficiency to avoid future backlogs and ensure timely processing of vulnerabilities.
Surge in Vulnerability Reporting
The surge in reported vulnerabilities has been remarkable, reflecting the dynamic and continually evolving cybersecurity landscape. The number of unprocessed CVEs dramatically escalated from 17,000 in August to 25,000 by March of the following year, underscoring the pressing need for strategic adjustments. Brewer highlighted that despite recovery in operational capacity, the submission inflow significantly outpaced the current processing rates, fueling the growing backlog.
To cope with this influx, the NVD has adopted various strategies, primarily revolving around automation and improved data management practices. Brewer and Scholl emphasized that the pressing needs have made it critical to integrate advanced technologies to streamline operations. The surge has compelled the team to refine prioritization tactics, focusing resources on newer vulnerabilities to optimize processing efficiency. By enhancing operational protocols and prioritizing certain CVEs, the NVD aims to gradually mitigate the backlog, ensuring a structured and efficient approach to vulnerability management.
Embracing Technology
Automation and AI Integration
In response to the overwhelming backlog of reported vulnerabilities, the NVD is increasingly focusing on automation and AI-powered tools as pivotal elements of its strategy. Brewer and Scholl outlined the significant role that machine learning algorithms play in streamlining data analysis and management tasks. By leveraging these technologies, the NVD can substantially reduce manual workload and enhance overall processing efficiency. These AI-powered methods are especially adept at handling routine data processing tasks, allowing human resources to concentrate on more intricate aspects of vulnerability analysis.
One particular area of interest is the development of automated processes for generating Common Platform Enumeration (CPE) data. Chris Turner from the NVD team has been instrumental in advancing these tools, and his efforts are aimed at alleviating the burden of manual CPE data administration. CPE data is vital for identifying and describing IT products, ranging from software applications to operating systems and hardware, making efficient handling critical for accuracy and effectiveness. Integration of machine learning into these processes promises significant gains in efficiency and accuracy, addressing a core aspect of the NVD’s operational challenges.
Specific Technological Initiatives
In another technological endeavor, Brewer and Scholl revealed the ongoing efforts to devise automated processes specifically targeting Linux kernel CVE data. Given the structured and consistent formatting of these entries, automation can significantly enhance processing efficiency. The use of AI in selecting pertinent Common Weaknesses Enumeration (CWE) entries and determining the Common Vulnerability Scoring System (CVSS) severity scores also streamlines these particular tasks, marking a leap forward in operational capability and accuracy. The integration of these advanced tools underscores the NVD’s commitment to embracing technology to resolve operational challenges. With Chris Turner’s leadership, efforts to innovate and automate vulnerability management processes continue, aiming for substantially improved efficiencies and streamlined workflows. Brewer emphasized that maintaining pace with the fast-evolving cybersecurity landscape necessitates continuous investment in technological advancements, ensuring the NVD remains at the forefront of vulnerability management.
Strategic Adjustments
Prioritizing Newer Vulnerabilities
In response to resource constraints and an escalating backlog, the NVD has strategically shifted focus to more recent CVEs, deferring the enrichment of vulnerabilities reported before 2018 unless critical updates are necessary. This prioritization strategy is designed to optimize resource allocation and improve overall processing efficiency. Brewer pointed out that concentrating efforts on newer CVEs tends to yield more relevant and impactful results, considering the swift evolution of IT products and emerging threats.
This policy shift represents a significant adjustment in the NVD’s operations, marking a departure from the previously uniform approach to vulnerability management. By allocating resources to address more recent vulnerabilities, the NVD aims to not only mitigate the current backlog but also establish a proactive stance towards future submissions. Matthew Scholl highlighted that this strategic prioritization is expected to streamline workflows, ensuring that the most pressing vulnerabilities receive prompt attention, thereby enhancing overall efficacy and response times.
Temporary Gap-filling Strategy
Faced with the need for expedient processing, the NVD has adopted a temporary gap-filling strategy for post-2018 CVEs by prioritizing enrichment data from CVE Numbering Authorities (CNAs). This approach aims to accelerate the processing pipeline, utilizing available third-party data to augment internal workflows. While labeled as a temporary measure, Brewer acknowledged that it might become a permanent strategy, contingent on the reliability and completeness of CNA-provided records.
This gap-filling strategy marks another significant operational shift, highlighting the importance of leveraging external resources to optimize efficiency. By relying on enriched data from CNAs, the NVD hopes to address the backlog more effectively, ensuring that newer submissions are processed with improved speed and accuracy. Scholl indicated that this approach aligns with broader efforts to enhance operational capacity, emphasizing the potential for collaboration with external entities to support comprehensive vulnerability management.
Community Engagement
Informal Channels Over Consortium
While the NVD had previously explored creating a formal consortium through a Cooperative Research and Development Agreement (CRADA), this effort was ultimately abandoned due to administrative burdens. Instead, Brewer and Scholl emphasize the importance of sustaining informal yet impactful interactions with the vulnerability management community and the private sector. They recognize that maintaining informal and adaptable channels of communication is crucial for keeping pace with the dynamic landscape of vulnerability reporting.
The decision to forgo a formal consortium in favor of informal interaction underscores the value of flexible and direct community engagement. Brewer highlighted that informal channels allow for more agile and responsive communication, fostering deeper connections with industry professionals and enabling ongoing collaboration. These interactions are essential to address the growing backlog and enhance the NVD’s functions, ensuring effective vulnerability management through collective efforts and shared knowledge.
Calls for Enhanced Transparency
Despite these efforts to engage with the community, some experts have voiced concerns about the transparency and frequency of communication from the NVD. Criticisms have highlighted a perceived missed opportunity to engage more deeply with the community during short conference sessions, suggesting a need for more extensive, accessible communication channels. Brewer and Scholl acknowledged the importance of transparency and committed to improving the frequency and depth of their communication with the community.
This call for enhanced transparency reflects a broader consensus on the need for greater openness in the NVD’s operations. By fostering more accessible communication channels, the NVD can facilitate deeper engagement with the community, addressing concerns and ensuring that stakeholders are well-informed. Brewer emphasized that ongoing efforts to enhance transparency are vital for building trust and collaboration, supporting the broader goals of comprehensive and effective vulnerability management.
Diversifying Data Sources
Recommendations from Security Experts
In light of the backlog and processing challenges at the NVD, security experts recommend diversifying vulnerability data sources. This approach involves leveraging multiple platforms such as CVE.org, vendor advisories, and repositories like ExploitDB. Diversifying data sources can enrich vulnerability knowledge and address potential gaps in the NVD’s data, ensuring a more comprehensive understanding of the security landscape.
Matt Scholl supports the idea of a diversified approach, highlighting the benefits of different entities contributing valuable data. This stance aligns with ongoing efforts to tackle the increasing volume of reported vulnerabilities and adapt effectively to evolving cybersecurity threats. Brewer emphasized that the contributions from various platforms and entities are crucial for enhancing the NVD’s capabilities, enabling a more robust and enriched vulnerability management process.
Strategic Alignments
Aligning with the recommendations from security experts, Brewer and Scholl outlined the strategic importance of diversifying data sources. By adopting a diversified approach, the NVD aims to mitigate challenges associated with the backlog and enhance operational capacity. Scholl highlighted the benefits of collaborative efforts, emphasizing that contributions from different data platforms bolster the security community’s understanding and management of vulnerabilities.
This strategic alignment underscores the NVD’s commitment to innovation and adaptation in vulnerability management. By embracing diverse data sources, the NVD can effectively address the growing influx of reported vulnerabilities, ensuring timely and accurate processing. Brewer emphasized that continuous collaboration with industry professionals and leveraging external data sources are pivotal for sustaining the NVD’s functions and enhancing overall efficacy.
Conclusion
The National Vulnerability Database (NVD) team at the US National Institute of Standards and Technology (NIST) has encountered substantial operational challenges over the past year. This team has grappled with periods of internal disruptions compounded by a sharp increase in reported vulnerabilities. This surge has led to a significant backlog, straining NVD’s ability to manage and process data related to these vulnerabilities efficiently.
Even though staffing issues have been addressed, the backlog continues to be a growing concern, highlighting the persistent pressure on the team. During VulnCon, a conference dedicated to vulnerability management, NVD leaders Tanya Brewer and Matthew Scholl presented valuable insights regarding the current state and future direction of NVD’s operations. They discussed the strategies being employed to overcome these challenges and improve the efficiency of the vulnerability data processing system. Their insights included details on how the NVD team plans to leverage advanced technologies and streamline processes to better handle the increasing volume of vulnerability information. Brewer and Scholl emphasized the importance of adopting innovative solutions and improving collaboration within the team to enhance data management capabilities. As NVD prepares for the future, its leaders remain committed to mitigating existing issues and ensuring that the database remains an essential tool for cybersecurity.