Mitre’s Common Vulnerabilities and Exposures (CVE) Program – which last week came close to shutting down altogether amid a wide-ranging shakeup of the United States government – has designated cyber exposure management specialist Armis as a CVE Numbering Authority (CNA).
This means it will be able to review and assign CVE identifiers to newly discovered vulnerabilities in support of the Program’s mission to identify, define and catalogue as many security issues as possible.
“We are focused on going beyond detection to provide real security – before an attack, not just after,” said Armis CTO and co-founder, Nadir Izrael. “It is our duty and goal to help raise the tide of cyber security awareness and action across all industries. This is key to effectively addressing the entire lifecycle of cyber threats and managing cyber risk exposure to keep society safe and secure.”
Mitre currently draws on the expertise of 450 CNAs around the world – nearly 250 of them in the US, but including 12 in the UK. The full list includes some of the largest tech firms in the world such as Amazon, Apple, Google, Meta and Microsoft, as well as a litany of other suppliers and government agencies and computer emergency response teams (CERTs).
All the organisations listed participate on a voluntary basis, and each has committed to having a public vulnerability disclosure policy, a public source for new disclosures, and to have agreed to the programme’s Ts&Cs.
In return, says Mitre, participants are able to demonstrate a mature attitude to vulnerabilities to their customers and to communicate value-added vulnerability information; to control the CVE release process for vulnerabilities in the scope of their participation; to assign CVE IDs without having to share information with other CNAs; and to streamline the vulnerability disclosure process.
The addition of Armis to this roster comes amid uncertainty over the Program’s wider future given how close it came to cancellation. In the wake of the incident, many in the security community have argued that a shake-up of how CVEs are managed is long overdue.
“This funding interruption underscores a crucial truth for your security strategy: CVE-based vulnerability management cannot serve as the cornerstone of effective security controls. At best, it’s a lagging indicator, underpinned by a programme with unreliable resources,” said Joe Silva, CEO of risk management specialist Spektion.
“The future of vulnerability management should focus on identifying real exploitable paths in runtime, rather than merely cataloging potential vulnerabilities. Your organisation’s risk posture should not hinge on the renewal of a government contract.
“Even though funding was provided, this further shakes confidence in the CVE system, which is a patchwork crowdsourced effort reliant on shaky government funding. The CVE programme was already not sufficiently comprehensive and timely, and now it’s also less stable.”
Open data
Meanwhile, Armis is also today expanding its vulnerability management capabilities by making its proprietary Vulnerability Intelligence Database (VID) free to all-comers.
The community-driven database, which is backed by the firm’s in-house Armis Labs unit, offers early warning services and asset intelligence, and is fed a constant stream of crowdsourced intelligence to enhance its users’ ability to prioritise emerging vulnerabilities likely to impact their vertical industries, and take action to shore up their defences before such issues are widely exploited.
“As threat actors continue to amplify the scale and sophistication of cyberattacks, a proactive approach to reducing risk is essential,” said Izrael.
“The Armis Vulnerability Intelligence Database is a critical, accessible resource built by the security community, for the security community. It translates vulnerability data into real-world impact so that businesses can adapt quickly and make more informed decisions to manage cyber threats.”
Armis said that currently, 58% of cyber attack victims only reactively respond to threats after the damage has been done, and nearly a quarter of IT decision-makers say a lack of continuous vulnerability assessment is a significant gap in their security operations, making it imperative to do more to address problems quicker.
