Kenna Security, San Francisco, unveiled a new research report conducted in partnership with the Cyentia Institute, Blacksburg, Va., that provides an analysis of today’s common vulnerability management strategies.
The research report, “Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies,” includes insights into vulnerability lifecycles, the key factors that influence the remediation and prevention of vulnerabilities and the effectiveness of various vulnerability remediation strategies used to prioritize enterprise cybersecurity efforts.
The report analyzed five years of historical vulnerability data compiled from over 15 sources to uncover the following key findings:
- The volume and velocity of vulnerabilities is rapidly increasing. In 2017, businesses had to decide how to address an average of 40 new vulnerabilities every single day, including weekends. 2017 saw the highest number of year-over-year entries in the database, more than doubling the entries in 2016, and 2018 is trending to match or exceed those numbers.
- Most reported vulnerabilities aren’t used by hackers. Businesses need to find the needle in an ever-growing haystack, the vulnerabilities that pose the greatest risk. Out of the thousands of new vulnerabilities published every year, the vast majority (77%) never have exploits developed, and even fewer (less than 2%) are actively used in an attack.
- Speed must be a priority. The greatest number of exploits are published in the first months after a vulnerability is released, and 50% of exploits publish within two weeks of a new vulnerability, meaning that businesses realistically only have 10 working days to find and fix the riskiest vulnerabilities.
- Don’t leave remediation efforts to chance. Most current approaches to prioritizing and fixing vulnerabilities are roughly as effective or far less effective than addressing vulnerabilities at random. Researchers compared 15 different remediation strategies against a strategy of fixing vulnerabilities at random to provide a point of reference that illustrates the effectiveness of each strategy. More than half of the strategies were no more effective than chance.
- A predictive approach to vulnerability prioritization is a must. Researchers then analyzed the effectiveness of Kenna’s machine learning-based predictive model and found that it performs 2-8 times more efficiently, with equivalent or better coverage of vulnerabilities when compared against the 15 strategies assessed in the research.
“Effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have highest priority, but prioritization remains one of the biggest challenges in vulnerability management,” says Karim Toubba, chief executive officer, Kenna Security. “Businesses can no longer afford to react to cyber threats, as the research shows that most common vulnerability remediation strategies are about as effective as rolling dice. But, there is hope – a predictive model based on cutting-edge data science is more efficient, requires less effort and provides better coverage of an enterprises’ attack surface.”
“Cyentia is committed to delivering data-driven research to help the practitioners and decision-makers responsible for protecting an enterprise’s assets, which average 18-24 million vulnerabilities across 60,000 assets. Partnering with leading cybersecurity industry vendors like Kenna Security to track published exploits and actively exploited vulnerabilities enables us to measure, compare and explore various prioritization methods and advance the art and science of vulnerability management,” adds Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute.