New Kenna Research: The Remediation Gap

Oct 12, 2015
Greg Howard

Share with Your Network

Following on our work in this year’s Verizon Data Breach Information Report, Kenna recently published a kind of sequel: “The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks.” Authored by our chief data scientist Michael Roytman, the report examined the proliferation of non-targeted attacks and companies’ ability to counter these threats through quick remediation.

Kenna analyzed 50,000 organizations, 250 million vulnerabilities, and over one billion breach events from January 2014 through September 2015. What we found: companies are regularly leaving vulnerabilities open for longer than it takes attackers to exploit them.

Unlike more widely publicized Advanced Persistent Threats, non-targeted attacks pose a much different challenge for security organizations. Rather than targeting a specific company, attackers attempt to grab as much valuable data from as many companies as possible, relying on automated tools and techniques to scale their attacks.

Key findings from the “The Remediation Gap” report include:

  • Automated attacks are on the rise: There have been over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits witnessed in 2013 and 2014 combined — an increase of 445 percent.
  • Remediation takes time: Despite the best intentions, most companies take an average of 100-120 days to remediate found vulnerabilities. However, many companies have critical vulnerabilities that go unpatched altogether.
  • Exploitation is almost guaranteed: The probability of a vulnerability being exploited hits 90 percent between 40-60 days after discovery, indicating that the length of time a company has to react to vulnerabilities before attackers strike is within 40-60 days of release for well-known vulnerabilities. This creates a remediation gap, or time that a vulnerability is most likely to be exploited before it is closed, of nearly 60 days.

The report also profiles a sampling of significant vulnerabilities that are frequently left unclosed, but remain popular targets for hackers, demonstrating that remediation is often prioritized by which vulnerabilities are top of mind for security teams, rather than by which vulnerabilities are most likely to be exploited or could cause the most damage.

The report has gained significant media attention, garnering write-ups in Dark ReadingSC MediaComputerWeekly, and the Wall Street Journal among many others.

Read the “The Remediation Gap” for yourself. It’s a must-read for any InfoSec professional.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.