Blog

For Vulnerability Management Performance, What Vendors Do Matters. (Perhaps More Than Anything Else.)

What can you learn from observing how nearly 450 organizations manage vulnerabilities across more than 9 million assets?

For one thing, you find out just how critical the actions (or inactions) of platform and application vendors are to the performance of vulnerability management (VM) programs. In fact, what vendors do or don’t do may have greater influence on the success of VM than any other factor.

This is one of the revelations that surfaced in the fifth volume of our Prioritization to Prediction (P2P) series, Prioritization to Prediction, Volume 5: In Search of Assets at Risk. Prepared by the Cyentia Institute, this new report quantifies, for the first time, the comparative risk surface of assets based on various platforms. 

As the researchers at Cyentia dug into various characteristics of VM programs–from the number of vulns that exist on a specific asset to the speed at which they’re remediated–it quickly became clear that vendors play an important role in how well VM programs perform. And it offers lessons for software and platform vendors who want to make sure their inaction doesn’t threaten their future within enterprise infrastructures.

What we can learn from Windows

We’re all familiar with Patch Tuesday. That’s the day Microsoft issues patches for its various platforms and products, and it happens either once or twice a month, depending on how many vulnerabilities have been discovered in those products and how many exploits of those vulns have been observed. 

Patch Tuesday isn’t some altruistic giveaway. It was born of necessity, due in part to the extensive footprint of Windows and other Microsoft products in today’s enterprises (half of the firms in our data pool have more than 85% Windows assets). 

It’s also necessary because Windows-based assets tend to have more known vulnerabilities than other assets. In fact, a Windows-based asset typically has 119 vulnerabilities to manage in any given month. That’s 30 times more than the median number of vulnerabilities in network appliances and almost four times more than the next closest asset category of Apple products.  

More vulns, but better coverage

As is noted in the latest P2P report–and as we repeat endlessly in this blog–what’s critical isn’t the number of vulns, but the number of high-risk vulns (and on which assets). In other words, what matters is focusing on those vulnerabilities that pose the greatest risk to your unique infrastructure. 

From that perspective, Windows platforms still lead the pack, and by a good margin. But here’s where things get interesting. As this scatterplot illustrates, even as Windows dominates in numbers of high-risk vulnerabilities, it also leads in terms of the percentage of closed vulnerabilities. 

On one hand, you can say it’s impressive that enterprises manage to close such a high percentage of high-risk Windows vulns, considering how many millions there are compared to the far lower close rates reported for products from VMWare, HP and Cisco, along with Linux. 

On the other hand, you might just as easily wonder how that came to be: How can Microsoft be responsible for producing the most high-risk vulns (by far), and yet enterprises are still more successful in closing Windows vulns than they are virtually any other platform?

To me, the answer is pretty clear: Microsoft has established a reliable and streamlined cadence of patch release and remediation, while easing classic concerns of patch deployments blue-screening critical servers over time. Patch Tuesday is certainly good evidence of this, though our P2P report yields further support for that argument.

A much shorter half-life on Windows

Further evidence of Microsoft’s winning hand in driving VM success can be found in comparing the speed at which vulns are remediated. The half-life of vulnerabilities in a Windows system is 36 days. For network appliances, that jumps tenfold to 369 days. After one year, only about 15% of bugs remain on Mac and Windows assets, but more than twice as many remain on Linux/Unix systems, and half remain on network appliances.

Native vs. non-native software

The report generally found that the more non-native vendors present on a platform, the higher the vulnerability density (the number of open vulns per asset). While this finding is not necessarily surprising, it does reinforce the common sense notion that enterprises should be mindful about the software they install on critical systems. 

That message comes through loud and clear when we look at the likelihood of third-party (non-native) vulnerabilities being remediated over the span of 18 months. Remediation of third-party vulns runs well behind remediation of Microsoft vulnerabilities. 

But there’s more detail to the story here. I decided to take a deeper look at Windows 10 platforms and break them down by third-party vendors. This makes it pretty clear where auto-updates, patch management tools, and generally making it easier to patch have a real impact.

Impressive levels of remediation performance

Another way to slice the data is to look at the proportion of vulnerabilities remediated in a month. This is important since organizations remediate about 10% of the vulnerabilities in their environment during any given month. 

Once again, Microsoft Windows systems (along with Mac OS X platforms) achieve impressive levels of remediation performance. But other platforms and devices can’t break through the 1-in-10 glass ceiling for raw fix capacity.

What can vendors do better?

Again, Microsoft’s prowess at proactive patching was born of necessity; the sheer volume of vulns on Windows platforms and Microsoft software essentially made it necessary. But other vendors can learn from the best practices Microsoft has established. They can make regular security updates a priority (think of Apple and Adobe), and can do more to streamline vulnerability remediation on their particular platforms, applications and devices. I suspect those managing Microsoft assets have benefited not only from a steady and predictable cadence but also through automation of patch management.

None of this is intended to argue that the vendors and platforms comprising the infrastructure under management are the sole determinants of whether a VM program is effective or not. That would be ridiculous. Modern enterprises need a Modern Vulnerability Management model–one that uses machine learning, real-time threat intelligence, automation, predictive models and other advances to align IT and Security around the risk specific vulns pose to their organization. It’s the only way to protect assets efficiently, while keeping costs down and saving time for already resource-constrained teams. 

But platform and application vendors play a determining role in the success of any VM program. And those who can learn from the examples set by Microsoft and Apple will help their customers reduce their threat landscape–and may better secure their place in the enterprise for years to come.

Download your copy of Prioritization to Prediction, Volume 5: In Search of Assets at Risk today. You can also check out my discussion of the results with Cyentia’s Jay Jacobs in this on-demand webinar.