Kenna Security has released the second volume of its ongoing analysis into the vulnerability landscape. The report, "Prioritization to Prediction: Getting Real About Remediation," has found that companies appear to have the resources needed to address all of their high-risk vulnerabilities.
The security firm notes that its research demonstrates that enterprises are getting smarter in how they protect themselves from threats, improving operational efficiency and resource allocation, while best managing their risk.
The research builds on Kenna Security's initial "Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies" report to show that companies are increasingly recognizing that the majority of vulnerabilities are never weaponized or exploited in a cyberattack. This initial report looked at which CVE attacks were actually showing up on enterprise computer systems.
That original report found an extremely small subset of known vulnerabilities is exploited in the wild. Companies, however, did not have reliable methods to predict which vulnerabilities, when announced, were at high risk of exploitation. It made the case that most remediation strategies were about as effective as random chance. It also showed how risk-based remediation strategies driven by machine learning could make accurate predictions and increase the efficiency of security operations by reducing the amount of time spent patching low-risk vulnerabilities.
Kenna found that only about one-third of all published CVEs are actually observed in live organizational environments. By "observed" they meant that at least one instance of that CVE was detected by a vulnerability scanner, discovered by a penetration test, or otherwise actually seen in an asset managed by a particular organization. In other words, it's reality rather
than just theory.
This proportion of observed CVEs was found to vary somewhat depending on how the aperture of scope was changed. Looking across all time, they found that one-third statistic; 37k out of 108k of CVEs (34%) were observed by at least one organization.
Narrowing to the last 10 years of published CVEs pushes that ratio up a bit to just over 40%. When CVEs published since 2017 are considered, researchers found 36% of them observed within organizations.
Twenty-two percent -- or 300 plus million -- of all open vulnerabilities observed by organizations in their dataset were associated with CVEs published in 2018. Interestingly, over 75% remain open at least one year after the associated CVE was published.
This analysis was done by cybersecurity researchers from Kenna Security and Cyentia Institute. They looked at 3 billion vulnerabilities managed across more than 500 organizations and 55 sources of external intelligence. They used anonymized data from a sample of 12 enterprises that were selected to cover a range of industries, sizes, and remediation strategies.
In the new report, the researchers found that:
- Organizations have closed 70% of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544 million high-risk vulnerabilities, organizations remediated 381 million, leaving 163 million open.
- The data shows that organizations remediated a total of over 2 billion vulnerabilities, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. Kenna says that this can be accomplished by implementing remediation strategies that prioritize resources to tackle all of the 544 million high risk vulnerabilities first, only moving on to the 2.9 billion lower risk vulnerabilities afterward.
- About one-third of all the published CVEs are ever seen in a live environment and, of those, only 5 percent have known exploits against them.
- About one-third -- 32.3% -- of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities aren’t patched within 90 days.
- Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. And one of those, Oracle, was responsible for one-third -- Java and Acrobat top the list of unpatched products. Microsoft eats the largest slice of the vulnerability pie in
2018, but has only a tiny sliver before 2015. It's hard to see anything other than Oracle among CVEs from 2012 to 2014, but that predominance lessens over time. Adobe seems to borrow a page from both, expanding and then contracting over the last year.
- One in four open vulnerabilities -- 25.7% -- within enterprise systems was identified and entered into the National Vulnerability Database before 2015.
Jay Jacobs, data scientist at Cyentia Institute, noted: "Kenna's data demonstrates a much brighter picture for enterprise security. Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organizations effectively manage cyber risk and improve security.
Ed Bellis, co-founder and CTO at Kenna Security, wrote in an email to Security Now:
Kenna Security analyzed the entire database of CVEs and the threats to those CVEs in the 2018 report. This 2nd edition analyzes the CVE's (vulnerabilities) being observed in our customers environments, so these vulnerabilities actually exist in those enterprises. They are not just theoretical or definitions of vulnerabilities.
Bellis added: "We recommend that all five percent be prioritized and patched first. An enterprise could further prioritize how those CVEs are remediated based on a range of threat and business factors. For example, the criticality of the systems they reside on, if the vulnerability is being actively used by hackers in the wild, whether the exploit is able to be executed remotely, if the exploit lives in production code, etc."
On trying to determine which of the vulnerabilities should be patched by an enterprise Bellis noted that "the data set is focused on "likelihood," meaning targets of opportunity and not targeted attacks. An organization should conduct threat modeling of their business to determine the latter, but all organizations need to protect themselves from targets of opportunity."
Kenna is taking a contrarian approach to the usual "patch everything" advice. The research suggests patching what affects your enterprise first, and then do the other stuff when you get to it.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.