You’re Wasting Time on Low-Risk Vulnerabilities

Apr 22, 2021
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Okay, brass tacks: I can virtually guarantee you’re chasing thousands of vulnerabilities you don’t need to worry about. Our research shows 80% of the vulnerabilities you’re patching aren’t a risk to your organization. And yet there they are at the top of your fix list.

That’s because the tools you’re likely using to score your vulnerabilities (CVSS scores or scanner prioritization) are filling your fix lists with too much noise and not enough actionable insight. And since you probably don’t have much time to waste, you might want to take a minute to explore why.

Recently, we looked closely at the real-world impact of the 18,000 new Common Vulnerability and Exploit (CVE) IDs published in 2019. It turns out only 473 of these CVEs were exploited in a way likely to impact businesses. And of those 473, only about 80 ever reached widespread exploitation within more than 1% of all organizations. We know this because we observed every one of them across millions of assets from initial discovery, through publication and exploitation, and finally ending with remediation. Then we analyzed our findings.

Headlines and risk? Two different things

That’s not to say you only have to worry about patching 80 vulnerabilities across a given year. But our research shows an exploit “in the wild” doesn’t necessarily mean it’s a raging hog running wild across the internet. It means attackers somewhere have achieved at least one successful exploit of a specific CVE.

The question is, what does that really mean for you?

The only way to answer that is to apply extensive threat data, vulnerability intel, data science, and predictive algorithms to determine whether a specific CVE is a risk to you. CVSS scores and vulnerability scanner solutions (whose fix list rankings generally are a reflection of CVSS scores) judge the relative risk of a CVE by applying a very limited set of criteria. And those rankings generally lack context relevant to your situation: Where does this CVE live in your infrastructure? Are those internet- or customer-facing assets? Does the vulnerability exist on a mission-critical server or in a regulated environment? Have exploits even been observed in your industry, or have they been targeting a different type of business?

CVSS scores and the tools relying on them can’t answer those questions. But if you have any hope of narrowing the focus of your remediation teams so they work on patching only those vulnerabilities that actually pose a risk to your specific environment, you’ll need a smarter, more targeted approach. Especially since of all the vulnerabilities that exist in your infrastructure as you read this, just 2% to 5% actually pose a risk to you.

By taking a modern, risk-based approach to vulnerability management, you can spare your Security and IT teams all that friction over why something has to be patched. And you can free them up to focus on other, more strategic tasks.

Find out where you are on the modern vulnerability management journey. And learn how easy it is to fix only what matters.





Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.