Key Take-Aways for IT from the Latest Vulnerability Management Research

Sep 24, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

In some ways, IT is in a tough spot when it comes to reducing cyber risk. IT teams are usually responsible for remediating vulnerabilities within various asset groups. But even though IT groups ultimately own assets, they often don’t have full control over which assets end up where. End-user devices, for instance, have a tendency to move around (especially lately, with the pandemic making remote work the norm), and business units push for adoption of cloud applications and services.

And yet, if there’s a vulnerability that requires patching, it’s usually on IT to locate it and patch it.  

The latest Prioritization to Prediction (P2P) report from the Cyentia Institute offers some insights that may lessen the burden for IT groups and even may help them work more efficiently and effectively.

The most recent report in the P2P series, Prioritization to Prediction, Volume 5: In Search of Assets at Risk quantifies, for the first time, the comparative risk surface of assets based on various platforms. It reflects real-world data from nearly 450 organizations that manage vulnerabilities across more than 9 million assets. With a sample that size, some interesting take-aways emerge. Though the full report is definitely worth a read, here are a few I think IT professionals might find helpful.

Microsoft shops face more vulns overall than anyone…

Windows platforms typically have 119 native and third-party vulnerabilities detected in any given month. That’s almost four times the median number of bugs in MacOS platforms, which is the next closest asset category—and it’s 30 times more than network appliances. (No, that’s not a typo.) This is significant because 87% of all PCs run Windows, according to NetMarketShare. And while many environments run multiple platforms, especially on the server end, half the firms in our dataset have an asset mix consisting of at least 85% Windows-based systems.  

…but they’re doing a better job patching them.

When comparing remediation coverage across platforms, the report shows that Windows fares better than any other platform. Microsoft platforms have the highest percentage (83%) of exploited vulnerabilities compared to other platforms (MacOS X, at 79%, runs a close second, though Mac platforms represent just 0.5% of devices in this sample). But it’s particularly impressive considering the far greater density of vulnerabilities on Windows compared to others. Credit Microsoft, whose aggressive vuln reporting and patch delivery process has set a standard that most other vendors would be wise to match.

Old, unsupported versions of Windows represent a persistent security risk—but also ready evidence for a tech refresh.

Part of the role of IT management is to make sure your organization gets the maximum return from its IT investments, and sometimes that means hanging on to aging servers and other devices for an extra year or two. Or three. Or more. But this can be problematic. This report shows that once official vendor-sponsored support for a platform ends, as it just did in January for Windows 7, it becomes much harder to manage vulns on that platform. Look at the drastic difference in vulnerability survival rates between Windows 10 and Windows Server 2016 (both still supported) and long-unsupported Windows XP and Windows Server 2003 platforms.

In terms of high-risk remediation capacity, enterprises still have work to do.

At Kenna, we write a lot about the need to focus on your highest-risk vulnerabilities because on average, most IT organizations can only fix about 1 in 10 vulnerabilities. So a “fix everything” approach is both unrealistic and inefficient. No matter what your platform mix is, it’s critical to zero in on the vulnerabilities that pose the greatest risk to your organization (based on such factors as vuln density, its prominence on mission-critical or customer-facing systems, and evidence that the vulnerability has known exploits in your type of environment). Knowing that identifying and remediating high-risk vulnerabilities is, in the end, the best route to providing useful guidance to remediation teams, the latest P2P report slices the data to show how different asset categories fare when it comes to staying ahead of new high-risk vulns. The results show that while remediation efforts are keeping up in most organizations for every platform, Windows and Mac platforms have the toughest time keeping up.

Comparison of High-Risk Remediation Capacity Across Platforms

It’s great that most platforms show overall improvement in remediating high-risk vulns. But there’s plenty of room for improvement. In fact, the report finds that overall, 33% of all organizations are falling behind in their efforts to knock out high-risk vulns. Perhaps this is why analysts agree that the future of vulnerability management risk-based. Because, frankly, it’s the only way to efficiently and effectively protect your IT environment from the inside out.

Universal remediation SLAs probably don’t make sense.

Not all asset types are the same, so it likely doesn’t make sense to bundle them all into the same vulnerability remediation service level agreement (SLA). For instance, with a monthly median of just four identified vulnerabilities per network appliance compared to 119 per Windows asset, Cisco network appliances simply should not be held to the same standard as Windows 10 PCs. This also speaks to the relative risk that network device vulnerabilities pose to the organization, suggesting that an SLA of 100 days to close a high-risk vuln on a Cisco device may be reasonable, whereas a 30-day SLA for high-risk Windows vulns may be more appropriate.  This approach is the conceptual foundation for risk-based SLAs, which is a marker of mature vulnerability management programs.

These are just a few insights pulled from the latest report in the P2P series. More of them await those IT professionals willing to dig further into real-world data that looks at vulnerability management and remediation by focusing on the assets IT is responsible for.

Download Prioritization to Prediction, Volume 5: In Search of Assets at Risk now

In Search of Assets at Risk

The fifth volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities: through the lens of common asset platforms.

Download >

Read the Latest Content

Cybersecurity Best Practices

A Vulnerability Score On Its Own Is Useless

Having some type of vulnerability score can be useful than not having one, but it’s important to understand what a useful vulnerability score looks like.
Data Science

Creating a Weather Forecast for Predicting Cybersecurity Vulnerabilities

The Exploit Prediction Scoring System (EPSS) calculator is a free open-source tool that uses public source data to predict vulnerability exploits.

Analyzing Vulnerability Remediation Strategies with Cyentia Institute

The first in a multi-part dive into the Prioritization to Prediction (P2P) research series by Kenna Security and The Cyentia Institute.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.