Learn more.
Contact Us
Talk to an Expert
Request a demo

You’re Wasting Time on Low-Risk Vulnerabilities

Apr 22, 2021
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Okay, brass tacks: I can virtually guarantee you’re chasing thousands of vulnerabilities you don’t need to worry about. Our research shows 80% of the vulnerabilities you’re patching aren’t a risk to your organization. And yet there they are at the top of your fix list.

That’s because the tools you’re likely using to score your vulnerabilities (CVSS scores or scanner prioritization) are filling your fix lists with too much noise and not enough actionable insight. And since you probably don’t have much time to waste, you might want to take a minute to explore why.

Recently, we looked closely at the real-world impact of the 18,000 new Common Vulnerability and Exploit (CVE) IDs published in 2019. It turns out only 473 of these CVEs were exploited in a way likely to impact businesses. And of those 473, only about 80 ever reached widespread exploitation within more than 1% of all organizations. We know this because we observed every one of them across millions of assets from initial discovery, through publication and exploitation, and finally ending with remediation. Then we analyzed our findings.

Headlines and risk? Two different things

That’s not to say you only have to worry about patching 80 vulnerabilities across a given year. But our research shows an exploit “in the wild” doesn’t necessarily mean it’s a raging hog running wild across the internet. It means attackers somewhere have achieved at least one successful exploit of a specific CVE.

The question is, what does that really mean for you?

The only way to answer that is to apply extensive threat data, vulnerability intel, data science, and predictive algorithms to determine whether a specific CVE is a risk to you. CVSS scores and vulnerability scanner solutions (whose fix list rankings generally are a reflection of CVSS scores) judge the relative risk of a CVE by applying a very limited set of criteria. And those rankings generally lack context relevant to your situation: Where does this CVE live in your infrastructure? Are those internet- or customer-facing assets? Does the vulnerability exist on a mission-critical server or in a regulated environment? Have exploits even been observed in your industry, or have they been targeting a different type of business?

CVSS scores and the tools relying on them can’t answer those questions. But if you have any hope of narrowing the focus of your remediation teams so they work on patching only those vulnerabilities that actually pose a risk to your specific environment, you’ll need a smarter, more targeted approach. Especially since of all the vulnerabilities that exist in your infrastructure as you read this, just 2% to 5% actually pose a risk to you.

By taking a modern, risk-based approach to vulnerability management, you can spare your Security and IT teams all that friction over why something has to be patched. And you can free them up to focus on other, more strategic tasks.

Find out where you are on the modern vulnerability management journey. And learn how easy it is to fix only what matters.





Share with Your Network

Read the Latest Content

Risk-Based Vulnerability Management

Analysts Agree: Risk-Based Vulnerability Management a Priority for 2021

Taking a risk-based approach to vulnerability management has always been our priority, and lately the industry has followed suit. Now in a new blog listing Gartner’s Top 10 Security Projects for 2020-2021, it’s clear that Gartner thinks it should be a priority for you, too. For a sense of why RBVM is a top priority…

Vulnerability Management

11 Tips for Choosing a Vulnerability Management Solution

“These tips go to 11.” – Nigel Tufnel It can be daunting to choose between vulnerability management (VM) solutions when all vendors describe their offerings in very similar ways. So making the best choice for you means identifying what your organization needs, and ensuring the solutions you’re evaluating meet those needs. It’s safe to say…

Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management. It leverages full visibility into a technology stack to target the riskiest vulnerabilities, enabling companies to adhere to designated SLA’s, respond to threats rapidly, and have meaningful discussions about organizational risk tolerance. Got that? Let’s unpack it.  To understand what modern…


© 2021 Kenna Security. All Rights Reserved. Privacy Policy.