Skip to main content

3rd Anniversary with CISA KEV

·497 words·3 mins
Posts cisa kev vulnmgmt
Table of Contents
CISA_KEV - This article is part of a series.
Part 8: This Article

After 3 years since CISA released the first batch of KEV, here are what we know:

  • The peak periods for CISA to release KEV are concentrated in five specific months.
  • The top-5 vendors and the top-5 vulnerable products remain consistently.
  • Within the KEV catalog, the top-5 vendors hold 48.83% and the top-5 vulnerable products hold 21.7% from 1202 CVEs.

I want to take a moment to thank you for your support of the “CISA_KEV” series. After careful consideration, I have decided to stop updating this series. This decision allows me to focus on other projects and initiatives that I believe will better serve our community and my interests.

Key Takeaways
#

The “CISA_KEV” series has been around for 12 months. And we learn some patterns from the analysis, and see some consistencies here.

Those consistencies can provide several advantages for future security planning and vulnerability management:

  1. Proactive Risk Mitigation: Knowing that certain vendors and products are consistently vulnerable allows us to prioritize patching, monitoring, and hardening efforts for those systems.

  2. Focused Security Investments: Resources can be allocated more effectively by focusing on the vendors and products that consistently show up in KEV catalog, leading to better defense mechanisms and preparedness.

  3. Predictive Analysis: Over time, these consistencies may help predict potential vulnerabilities, allowing teams to act preemptively, reducing the window of exposure for new or emerging threats.

  4. Vendor Accountability: Persistent patterns in KEV catalog can be used to push vendors for quicker security fixes or to encourage adoption of more secure development practices.

  5. Streamlined Incident Response: Recognizing patterns in vulnerable products simplifies incident response planning, as security teams can develop standardized procedures to handle recurring risks.

In essence, these consistencies enable more strategic, data-driven decisions in cybersecurity management, potentially improving defenses against future threats.

Although the top 5 vendors and products are consistently affected, the specific vulnerabilities may still vary, suggesting that while patterns exist, the nature of vulnerabilities is not necessarily consistent.

Updates
#

CISA KEV has been released 36 months. Today, there are total of 1202 (+43) CVE been added to CISA KEV catalog.

CISA Catalog of Known Exploited Vulnerabilities [ 2024.10.24/1202 ]

As of today, there are total of 1193 CVE have overdue, with another 9 more upcoming.

Highlights (within CISA KEV catalog):

  • The top-5 vendors and top-5 vulnerable products remain the same.
  • From all the vendors (187), the top-5 vendors hold 587 (around 48.83%) of all the 1202 CVEs.
  • From all the vulnerable products (492), the top-5 vulnerable products hold 261 (or ~21.7%) of all the 1202 CVEs.
  • The top-5 months where distribution of KEV is higher than mean remain the same (Mar, Apr, May Jun, Nov).

Current State
#

MicrosoftAppleCiscoAdobeGoogleothers
30775737260615

WindowsMultiple Products (Apple)Flash PlayerChromium V8Internet Explorerothers
12638333232941

mean_val=100.16666666666667

JanFebMarAprMayJunJulAugSepOctNovDec
28321321642411607059697313440
CISA_KEV - This article is part of a series.
Part 8: This Article

Related

34-Month Update with CISA KEV
·206 words·1 min
Posts cisa kev vulnmgmt
Analysis updates of CISA KEV catalog.
32-Month Update with CISA KEV
·188 words·1 min
Posts cisa kev vulnmgmt
Analysis updates of CISA KEV catalog.
30-Month Update with CISA KEV
·188 words·1 min
Posts cisa kev vulnmgmt
Analysis updates of CISA KEV catalog.