Prioritization to Prediction: A Primer on the Cybersecurity Research Series
Share with Your Network
What is the Prioritization to Prediction research series?
Prioritization to Prediction (P2P) is an ongoing research series intended to help enterprises gain mission-critical insight into more effective and efficient vulnerability management (VM) practices. Kenna Security at Cisco, the pioneer of risk-based vulnerability management, teams up twice-yearly with the cybersecurity research experts at the Cyentia Institute to analyze and share their findings.
With the recent release of the eighth volume of Prioritization to Prediction, it’s helpful to take a step back and examine the entire body of research.
How did the P2P series begin?
Starting in 2018, the risk-based pioneers at Kenna Security recognized a desperate need in the vulnerability management space for real-world data and insights. With a vast amount of customer data accumulating in the Kenna.VM platform, aggregated from top companies around the world, Kenna Security partnered with researchers at the Cyentia Institute to better understand how vulnerabilities behaved in the wild and what strategies real companies employed to manage and minimize cyber risk.
At the time of this blog, a total of eight reports have been published.
Where does the data come from?
To ensure the most accurate and comprehensive findings, anonymized data is extracted from the Kenna Security platform. The data tracks billions of real-world threat instances and mitigation events across millions of assets from active Kenna customers. External sources such as various threat feeds, CVSS, NVD, MITRE, and more are also funneled into the pool of data for analysis.
This is similar to the way Kenna Security approaches VM on the whole: maximizing accuracy and context thanks to comprehensive real-world threat and vulnerability data.
Who conducts the analysis?
While P2P reports are always a team effort, there are a few key individuals leading the charge. Cyentia Institute Partners and Co-founders Wade Baker and Jay Jacobs take the raw data and begin the process of scrubbing, normalizing, organizing, and analyzing. Kenna Security at Cisco’s CTO and Co-founder Ed Bellis joins in to help with analysis, providing his extensive viewpoint and expertise.
Honorable mentions go to a handful of other Kenna Security at Cisco’s data gurus. Chief Data Scientist Michael Roytman and Director of Security Research Jerry Gamblin help extrapolate insight and organize findings that add the final touches to these reports.
Watch Ed Bellis and Jay Jacobs unpack the latest report in this recent webinar: How to Squeeze the Most Risk Reduction from Your Vulnerability Management attendees can earn one CPE credit through ISC²).
What topics are covered in the P2P series?
Since its inception in 2018, the Prioritization to Prediction series have evaluated the effectiveness and efficiency of common remediation techniques, surfaced best practices from top remediation teams, traced the lifecycle of a vulnerability, measured attacker and defender momentum, and debunked long-standing misconceptions about publishing exploit code.
Here’s a breakdown of the report topics published to date, and select findings from each:
Volume 1 quantifies the performance of vulnerability prioritization and remediation strategies for the very first time.
From the report: 23% of published vulnerabilities have associated exploit code, and just 2% are observed to be exploited in the wild.
Volume 2 takes a close look at top-performing enterprises and how they make decisions to lower their risk profile, testing theories presented in Volume 1.
From the report: Only 5% of all CVEs are observed within organizations and known to be exploited.
Volume 3 leverages a technique called survival analysis to glean lessons about remediation velocity and capacity, and ultimately better understand the pace needed to sustain effective VM.
From the report: Across all organizations, the median time-to-remediation is 100 days. 25% of vulnerabilities remain open over a year.
Volume 4 combines survey and observational data to test how internal vulnerability management program factors affect actual remediation performance metrics.
From the report: When separate teams are responsible for finding and fixing vulnerabilities, we see increased velocity, capacity, and overall performance.
Volume 5 quantifies the comparative risk surface of using assets based on various platforms.
From the report: Windows platforms typically have almost 4X the median number of bugs than Macs and 30X more than network appliances.
Volume 6 measures the nuanced and dynamic nature of the momentum between attackers and defenders, tracing who has the advantage and when.
From the report: Exploit code was already available for >50% of vulnerabilities (eventually exploited in the wild) by the time they were published as CVEs.
Volume 7 settles a hotly debated topic about whether releasing exploits before patches are available to help or harm defenders.
From the report: When exploit code precedes a patch, attackers gain a 98-day advantage over defenders–that is, attackers deploy the exploit against more assets than defenders can mitigate for more than three months.
Volume 8 continues the conversation around exploit code and measures the benefits of vulnerability prioritization strategies that incorporate exploit intelligence.
From the report: Prioritizing vulnerabilities with publicly available exploit code is 11X more effective than CVSS is for minimizing exploitability.
Browse all key takeaways from each of the Prioritization to Prediction volumes.
How can companies use P2P cybersecurity research?
P2P research offers a wealth of rich, data-backed insights and best practices organizations can use to help inform their own vulnerability management and risk prioritization strategies. Some takeaways may be high-level concepts that can aid in securing buy-in or building out an argument for VM improvements, while others are more tactical that can be shared with team members and actioned on immediately.
P2P often makes a splash among industry influencers. Here is a handful of recent mentions highlighting findings from Volume 8:
- Cisco’s Kenna Security Research Shows the Relative Likelihood of an Organization Being Exploited
- Twitter Mentions More Effective Than CVSS at Reducing Exploitability
- Is Twitter the Best Tool for Vulnerability Management? Study Finds Twitter Mentions Outperform CVSS by 2x
- Need to prioritize security bug patches? Don’t forget to scan Twitter as well as use CVSS scores
See for yourself: Explore Prioritization to Prediction
Cybersecurity and vulnerability management are notoriously moving targets. Without relevant and recent data to help shape and define your strategy, you’ll fall behind and leave yourself vulnerable to an increasingly hostile threat landscape. As the Prioritization to Prediction research proves with every new volume, you can keep yourself (and your security operations) informed and agile by deploying risk-based prioritization and intel-driven prediction to reduce your business risk.
Download and explore all current volumes of the Prioritization to Prediction research series. You can also get an expert-led deep dive of each volume on Security Science, Kenna’s own cybersecurity podcast hosted by Dan Mellinger.