Identify Security Vulnerabilities
Description
Vulnerabilities in CDE systems must be identified and ranked by severity using a vulnerability ranking process (e.g., NVD CVSS).
⚠️ Risk Impact
Without ranking, every CVE is theoretically critical. Effective triage requires risk-based prioritization that accounts for exploitability + exposure.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Use CVSS v3.1 base score + environmental adjustments. Apply temporal scoring (is this CVE exploited in the wild?). Use CISA KEV catalog for known-exploited prioritization. Document ranking methodology.
💀 Real-World Attack Scenario
A merchant's vulnerability scanner reported 2,300 findings. The team triaged by CVSS only — not by exposure or KEV status. The breach that hit them in 2024 used CVE-2024-XYZ — CVSS 7.5 (high but not critical) but on the CISA KEV catalog as actively exploited. It was buried in the queue behind 'critical' findings on internal-only systems.
💰 Cost of Non-Compliance
Avg vuln-related breach: $4.45M. Reactive vs proactive prioritization: 3-5× MTTR difference.
📋 Audit Questions
- 1.Ranking methodology documented?
- 2.How is CISA KEV catalog incorporated?
- 3.Environmental adjustments applied?
- 4.Show vulnerability triage report.
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔CVSS-only triage without exploitability adjustment
- ⛔Ignoring CISA KEV catalog
- ⛔No environmental scoring (exposed-internet vs internal-only)
📈 Business Value
Risk-based prioritization focuses remediation on real exposure.
⏱️ Effort Estimate
Per-CVE triage time
EchelonGraph integrates CVSS + KEV + exposure for prioritization
🔗 Cross-Framework References
Automate PCI DSS 6.3 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →