Don’t Stop Me Now: The Race to Remediation Is On

“That’s why they call me Mr. Fahrenheit, cause I’m patching at the speed of light!” – Freddie Mercury(ish).

Over the past several months, my team and I have worked with the Cyentia Institute to build out data that begins to tell the story about modern vulnerability management practices at large companies. I’ve been sharing this research here and hope you’ve been enjoying the journey as much as I have (earlier posts can be found here and here).

Today we released the third volume of the Prioritization to Prediction series, giving us more insight into the challenges and opportunities for organizations across different industries and sizes. I’ll share those with you, but first, let’s discuss how we got here.

The first report served as an independent validation of our risk-based approach to vulnerability management, and it gave our customers an in-depth look at the decision models that underpin the Kenna Security Platform. The second report looked at how several companies used the platform to prioritize a whopping 2 billion vulnerabilities, 544 million of them were deemed “high risk.” We even sampled 12 of those organizations in greater detail.

This third volume of the Prioritization to Prediction series goes even farther, examining the efforts at more than 300 companies. We divided them into industry clusters and analyzed them according to size to see if there were any demographic differences between them and also looked further into the speed and capacity of remediation efforts.

Here’s what we found:

• Investment firms, professional services companies, and the transportation industry rank among the best at timely patching of exploitable vulnerabilities. Retailers, healthcare organizations, and insurers sit at the back of the pack.  
• A very strong linear relationship exists between the number of open vulnerabilities and the size of a company. In all, we found that companies big and small have the capacity to close about 10 percent of the vulnerabilities on their networks. While the strength of the relationship is fairly surprising, it makes sense if you think about it. Cybersecurity teams grow with revenue, while networks grow exponentially in size and complexity.
• On average, it takes large organizations 254 days to remediate 75 percent of high-risk vulnerabilities, while small organizations typically accomplish this in 59 fewer days.
• Larger organizations seem to have accepted the argument that some vulnerabilities pose very little risk. We found that these firms took an extremely long time to patch vulnerabilities for which there were no known exploits.
• Comparing the total volume of high-risk vulnerabilities against the number of vulnerabilities each organization remediated per month, 33 percent of the organizations are gaining ground by remediating more vulnerabilities than were discovered.
• Roughly 17 percent of organizations are maintaining pace with new high-risk vulnerabilities, while 50 percent of organizations are falling behind, remediating fewer vulnerabilities than the volume of high-risk vulnerabilities discovered per month.

In completing this report we learned that there are some high-performing industries and organizations who really have their remediation strategy dialed. Stay tuned for volume four to hear more about what these organizations do differently that enables them to pull ahead in the vulnerability remediation race.

For a quick overview of the three reports, check out an on-demand of my short discussion with Wade Baker from the Cyentia Institute. Or, for more on Volume 3, check out the press release.