Taking the Pulse on Vulnerability Management Ahead of RSA Conference 2020
Kenna Security was founded on a few basic propositions: Companies have more vulnerabilities than they can patch; but most vulnerabilities present very little risk. By harnessing data, we can help companies decide which vulnerabilities really matter, and they can allocate resources more effectively.
The stats that underpin these propositions change every year. Today, I’m going to provide a quick update on where those numbers stand. But before I do, I want to highlight one big conclusion: There’s a lot of hope. Risk-based vulnerability management is helping companies whittle down their high-risk vulnerability debt. Before Kenna, that simply wasn’t possible at most enterprises.
This data comes from Kenna Security’s Prioritization to Prediction research, which analyzes a vast amount of data to create a truly objective analysis picture of the security practices at large companies. For many of these numbers, we relied on a sample of data from over 300 Kenna customers, along with external data from public and private intelligence sources (more info on our data sources can be found in our Prioritization to Prediction series).
Now, let’s get to the numbers…
1) Published CVE Count Increases Trifold Following 2016
The National Vulnerability Database adds about 18,000 vulnerabilities per year, and by the end of 2019, there were 136,051 published vulnerabilities. The chart below shows a big spike in the number of new vulnerabilities between 2016 and 2017. The reason for the spike isn’t nefarious. MITRE has increased the number of CVE Number Authorities, enabling organizations to assign CVEs for their products which has made the process much more automated and faster as a result. In other words, we shouldn’t look at this spike and think that technology has somehow become more dangerous.
2) Not All Vulnerabilities Are Created Equal
In a live environment, a vulnerability that affects one popular application or vendor can have a big impact. Take a look at the chart below, which depicts the frequency with which vulnerabilities appear on enterprise devices. On the left, you see that some CVEs are only found on a relatively few assets. Approximately 13 percent of CVEs can be found on more than 100,000 machines.
It’s particularly interesting to see how hard it is to nail down a simple measurement of the average number of assets impacted by any given vulnerability. On average, any given CVE can be found on 33,658 different assets, but looking at the median, 50 percent of all vulnerabilities impact 618 or fewer assets.
3) No Matter the Size, Organizations Can Only Patch About 10% of Vulnerabilities
Nobody can patch every vulnerability. This chart below is stunning. It shows that, on average, organizations have the resources to tackle one out of every ten vulnerabilities. Some do better, some do worse. The trendline holds true for organizations large and small.
4) Focus on the 4% of Vulnerabilities That Pose Risk
Enterprises don’t need to worry about everything. Of the 130,000 published CVEs, 69 percent were never detected in any of the hundreds of firms in our sample. Of the remaining CVEs that were observed, a large majority have never been exploited. That leaves just 4 percent of the total vulnerability landscape that pose significant risk – because hackers have exploited them in the past or have easy exploits available to do so in the future.
The vulnerabilities on the top left of this chart are the ones that we need to worry about. In previous versions of this chart, that number usually stood at about 5 percent. The reason for the decrease? The number of vulnerabilities overall has increased, but the number of exploited ones hasn’t kept pace.
So, the question facing our industry is very simple. We know organizations don’t have the resources to tackle everything. Do they at least have the resources to tackle what matters?
Most of them do. Vulnerabilities are introduced into enterprise environments every day. Our analysis shows that 51 percent of organizations can end each month with fewer high-risk vulnerabilities than they started with, and another 17 percent are holding ground. That means that two-thirds of organizations in our sample are actively managing their vulnerability risk in the real world.
And what of those that are falling behind? We can’t say for sure, but it’s likely that those organizations have greater compliance requirements. That is, because they must comply with certain industry standards, they end up devoting resources to closing vulnerabilities that aren’t proven to present a high degree of risk. In other words, they’re falling behind because they have more to do.
These numbers continue to support Kenna’s central value proposition. If you are interested in exploring this further, I’ll be hosting a discussion at RSAC 2020 on Feb. 26 or visit Kenna Security on the show floor (North Expo, Booth #6140). Also, keep an eye out for the fifth edition of our Prioritization to Prediction series. The next edition is due in March 2020 and will take a bottoms-up analysis of the vulnerability landscape from the asset level.