NIST's new LEV metric: How does it help companies?
The National Institute of Standards and Technology (NIST) has unveiled a new metric that promises to revolutionize the way vulnerability management is prioritized. Likely Exploited Vulnerabilities (LEV) is a ranking designed to help organizations focus their efforts on the flaws that cybercriminals are actively using to perpetrate real-world attacks.
Thousands of vulnerabilities are reported every year but only a small fraction is exploited in the wild. According to NIST's own data, organizations only manage to patch 16% of the bugs that affect them each month, while only 5% of the vulnerabilities detected are actually used maliciously. This discrepancy wastes resources and creates a false sense of security.
LEV aims to bridge this gap. By identifying which vulnerabilities are being actively exploited, companies can make more informed decisions, optimize their response and minimize their attack surface.
How to leverage LEV metrics for enterprise vulnerability management
When it comes to prioritizing vulnerabilities, this new metric can be applied in four key ways:
-
To estimate how many vulnerabilities have been exploited:
For IT teams, the challenge is to prioritize and focus on patching vulnerabilities that are already being exploited by attackers. The LEV metric assists in this process by assigning a score based on evidence of active exploitation within the organization's specific environment. This information helps teams distinguish between minor vulnerabilities and those that represent a real and immediate risk, which facilitates accurate decision making.
-
To check how complete KEV lists are:
These lists are a fundamental source that reduces vulnerability recovery times by 50%. However, they rely on public information and documented cases, so they do not always fully reflect the real exposure status of each organization. This is why it’s important to complement these lists with metrics such as LEV, as they make it possible to verify whether systems are really exposed to these vulnerabilities and whether they have already been patched, thus avoiding relying exclusively on public lists for prioritization, and saving time and costs.
-
To identify high-risk vulnerabilities that are missing from those lists:
As official lists do not always arrive on time, some vulnerabilities are exploited before they are public knowledge, leaving companies at risk of being in the dark. LEV helps confirm which vulnerabilities are being exploited in the organization, based on behavioral signals detected in real time, such as anomalous patterns or exploitation attempts. This enables organizations to identify active threats, even if they have not yet been officially documented, and prioritize remediation before they become a breach.
-
Fix blind spots in EPSS:
Risk scores such as EPSS help prioritize, but may miss already exploited vulnerabilities if they don't fit your predictive model. LEV metrics augment this approach by relying on real signals from the environment, such as exploit attempts or indicators of compromise, to detect ongoing malicious activity. Thus, it allows you to adjust priorities based on concrete evidence, not just estimates, and reduce the risk of over-reliance on these scoring systems.
For LEV metrics to be truly useful to companies, it is essential that they provide an accurate view, capable of prioritizing real risks based on evidence of active exploitation. LEV is a significant step towards more effective vulnerability management, and its real value unfolds when integrated into a robust approach. For this management to be robust for organizations need a service that allows them to get ahead of the curve, see what is happening in their environment in real time, detect signs of active exploitation even before a vulnerability is publicly acknowledged, and patch where the risk is real. This combination of context, intelligence and automation makes it possible to turn data into concrete actions and anticipate threats accurately.
