You’re Wasting Time on Low-Risk Vulnerabilities
Share with Your Network
Okay, brass tacks: I can virtually guarantee you’re chasing thousands of vulnerabilities you don’t need to worry about. Our research shows 80% of the vulnerabilities you’re patching aren’t a risk to your organization. And yet there they are at the top of your fix list.
That’s because the tools you’re likely using to score your vulnerabilities (CVSS scores or scanner prioritization) are filling your fix lists with too much noise and not enough actionable insight. And since you probably don’t have much time to waste, you might want to take a minute to explore why.
Recently, we looked closely at the real-world impact of the 18,000 new Common Vulnerability and Exploit (CVE) IDs published in 2019. It turns out only 473 of these CVEs were exploited in a way likely to impact businesses. And of those 473, only about 80 ever reached widespread exploitation within more than 1% of all organizations. We know this because we observed every one of them across millions of assets from initial discovery, through publication and exploitation, and finally ending with remediation. Then we analyzed our findings.
Headlines and risk? Two different things
That’s not to say you only have to worry about patching 80 vulnerabilities across a given year. But our research shows an exploit “in the wild” doesn’t necessarily mean it’s a raging hog running wild across the internet. It means attackers somewhere have achieved at least one successful exploit of a specific CVE.
The question is, what does that really mean for you?
The only way to answer that is to apply extensive threat data, vulnerability intel, data science, and predictive algorithms to determine whether a specific CVE is a risk to you. CVSS scores and vulnerability scanner solutions (whose fix list rankings generally are a reflection of CVSS scores) judge the relative risk of a CVE by applying a very limited set of criteria. And those rankings generally lack context relevant to your situation: Where does this CVE live in your infrastructure? Are those internet- or customer-facing assets? Does the vulnerability exist on a mission-critical server or in a regulated environment? Have exploits even been observed in your industry, or have they been targeting a different type of business?
CVSS scores and the tools relying on them can’t answer those questions. But if you have any hope of narrowing the focus of your remediation teams so they work on patching only those vulnerabilities that actually pose a risk to your specific environment, you’ll need a smarter, more targeted approach. Especially since of all the vulnerabilities that exist in your infrastructure as you read this, just 2% to 5% actually pose a risk to you.
By taking a modern, risk-based approach to vulnerability management, you can spare your Security and IT teams all that friction over why something has to be patched. And you can free them up to focus on other, more strategic tasks.