Don’t Leave Vulnerability Management to Chance
While there is no shortage of strategies, best practices, industry recommendations and white papers on the topic of vulnerability remediation; there is a shocking lack of quantitative research on how effective risk-based vulnerability management strategies are in practice.
As a result, prioritization remains one of the biggest challenges in vulnerability management programs as effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have highest priority.
Looking to address this information gap (and also test the effectiveness of our predictive models), we reached out to Wade Baker and Jay Jacobs, founders of the Cyentia Institute and two of the most brilliant minds in data analytics, to partner with Kenna Security and assess the current state of vulnerability remediation and management.
Kenna Security provided half a decade’s worth of our vulnerability data encompassing millions of data points from more than a dozen sources including threat intelligence feeds, real-time exploit activity and context provided by the Kenna Security Platform.
The results of this research can be reviewed in the new report, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies. For the first time, Kenna Security and the Cyentia Institute provide a quantitative look at the effectiveness of common remediation strategies and used that data as a baseline to compare against a cutting-edge predictive model.
The full report provides deep insights into vulnerability lifecycles, the key factors that influence the remediation and prevention of vulnerabilities and quantifies the effectiveness of various vulnerability remediation program strategies used to prioritize enterprise cyber security efforts.
Key Findings in the Report:
The Volume and Velocity of Vulnerabilities Is Rapidly Increasing
In 2017, businesses had to decide how to address an average of 40 new vulnerabilities every single day (including weekends). Between its inception in 1999 and January 1, 2018, more than 120,000 vulnerabilities have been reserved in MITRE’s Common Vulnerabilities and Exposures (CVE) database, a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. 2017 saw the highest number of entries in the database, more than doubling the entries in 2016, and 2018 is trending to match or exceed those numbers.
Most Reported Vulnerabilities Aren’t Used by Hackers
Businesses need to find the needle in an ever-growing haystack — those vulnerabilities that pose the greatest risk. Out of the thousands of new vulnerabilities published every year, the vast majority (77 percent) never have exploits developed, and even fewer (less than two percent) are actively used in an attack. That means that today, most enterprises are wasting valuable time and resources guessing which two percent are the most dangerous and hoping the vulnerabilities they choose to address are the correct ones.
Speed Must Be a Priority
The greatest number of exploits is published in the first month (63 percent) after a vulnerability is released and 50 percent of exploits publish within two weeks of a new vulnerability. Thirteen percent publish within a month while only one percent of exploits emerge beyond a year after the vulnerability is made public. This means that businesses realistically only have 10 working days to find and fix the bulk of vulnerabilities.
Don’t Leave Remediation Efforts to Chance
Most current approaches to prioritizing and fixing vulnerabilities are roughly as effective or far less effective than addressing vulnerabilities at random. Researchers compared 15 different remediation strategies against a strategy of fixing vulnerabilities at random to provide a point of reference that illustrates the effectiveness of each strategy. More than half of the strategies were no more effective than leaving remediation to chance.
For example, the researchers compared remediating vulnerabilities for the 20 enterprise software vendors with the highest number of CVEs and found that, of the 56,188 CVEs that were prioritized for remediation because of the vendor associated with them, there is an efficiency (i.e. precision of remediation) of 12 percent and coverage (i.e. effectiveness of remediation) of 21 percent. Compare that against the baseline of randomly remediating 56,188 CVE’s which is nearly twice as efficient at 23 percent and delivers exactly twice the coverage at 42 percent.
A Predictive Approach to Vulnerability Prioritization
Researchers then analyzed the effectiveness of Kenna Security’s machine learning-based predictive model and found that it performs 2-8 times more efficiently, with equivalent or better coverage of vulnerabilities when compared against the 15 strategies assessed in the research. For example, when comparing the Kenna Security Exploit Prediction model against one of the most effective strategies of remediating vulnerabilities with a CVSS score of 7 or more, Kenna Security’s predictive model achieved:
o Twice the efficiency – 61% vs. 31%
o Half the effort – 19K vs. 37K CVEs to address
o Better coverage – 62% vs. 53%
The results of the research report are already being put to use by Kenna Security to inform the continued development of our solutions and further refinement of our predictive models to help our customers make the most efficient use of their people, tools, time and ultimately dollars to address the threats that pose the greatest risk. The above findings just begin to scratch the surface of the data included in the full report and I encourage business technology professionals to use this as a resource that helps them ensure their organizations aren’t leaving their remediation strategies to chance.