Looking Before & Beyond a Breach: Lessons from a DBIR Featured Contributor

Apr 16, 2015
Michael Roytman
Chief Data Scientist

Share with Your Network

As you may know, the 2015 Verizon Data Breaches Investigations Report was recently released. This is the “gold standard” research document for information security, and we’re proud to say that Risk I/O was a featured vulnerabilities contributor, providing a rich correlated threat data set that spans 200M+ successful exploitations across 500+ common vulnerabilities and exposures from over 20,000 enterprises in more than 150 countries.

With our data set in hand, Verizon focused on identifying patterns within the successful exploits of prioritizing remediation and patching efforts for known vulnerabilities. A sample of their findings using Risk I/O data:

  • A patch strategy focused on coverage & consistency is far more effective at preventing data breaches than “fire drills.”

  • Just because a CVE gets old, doesn’t mean it goes out of style with the exploit crowd (they have a reputation for partying like its 1999).

  • It’s important to prioritize remediation of exploited vulnerabilities, beyond the top ten or so CVEs.

  • Whether a vulnerability should be patched quickly, or if it can just be pushed with the rest.

Probably the most interesting statistics that came from our research is that attackers aren’t just going after the flashy, media-cumulative percentage of exploited vulns by weeks from cve publish datesworthy vulnerabilities. An astonishing 99.9% of vulnerabilities that become exploited are at least a year old. It’s not the newest ones that attackers are using, it’s some of the oldest ones on record.

Of all of the risk factors in information security, vulnerabilities are probably the most controversial. Which vulnerabilities should be patched? And more generally, what can we all do before a breach to improve vulnerability management programs? Many more data-driven recommendations for improving your remediation strategy can be gleamed from this year’s report.

The Verizon Data Breach Investigations Report is a must-read for InfoSec professionals, and Risk I/O is proud to have participated. A special thanks to Bob Rudis and Jay Jacobs for their help and patience.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.