Companies can safely delay patching the majority of their vulnerabilities, Kenna Security report finds

Research conducted by Kenna Security and Cyentia Institute demonstrates companies can be smarter and more efficient in their security efforts

January 22, 2019

SAN FRANCISCO, Calif., January 22, 2019

Ed Bellis, CTO at Kenna Security

“In our ongoing mission to apply the tenets of data science to cybersecurity, we have begun to benchmark the realities of vulnerability remediation strategies. We’ve found that remediating the riskiest vulnerabilities is within reach for many organizations. Despite recent high-profile data breaches, our findings show that enterprises can and should delay efforts to remediate a majority of vulnerabilities, which often number in the millions. Most vulnerabilities pose little to no danger of being exploited. That means companies can prioritize their resources to tackle the five percent of threats that pose the greatest risk.”

News Summary

Kenna Security, a leader in predictive cyber risk, today released the second volume of its ongoing analysis into the vulnerability landscape. The report, titled Prioritization to Prediction: Getting Real About Remediation , found that companies today appear to have the resources needed to address all of their high-risk vulnerabilities.

The research demonstrates that companies are getting smarter in how they protect themselves from today’s cyber threats, improving operational efficiency and resource allocation, while best managing risk. The research builds on Kenna Security’s initial Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies report to show that companies are increasingly recognizing that the majority of vulnerabilities are never weaponized or exploited in a cyberattack.

Cybersecurity researchers from Kenna Security and Cyentia Institute analyzed 3 billion vulnerabilities managed across 500+ organizations and 55 sources of external intelligence. They then took a deep dive into the realities of remediation using anonymized data from a sample of 12 enterprises that were selected to cover a range of industries, sizes, and remediation strategies. They found that:

  • Organizations have closed 70 percent of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544 million high-risk vulnerabilities, organizations remediated 381 million, leaving 163 million open.
  • The data shows that organizations remediated a total of over 2 billion vulnerabilities, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. This can be accomplished by implementing remediation strategies that prioritize resources to tackle all of the 544 million high risk vulnerabilities first, only moving on to the 2.9 billion lower risk vulnerabilities afterward.

Additional key findings include:

  • About one-third of all the published CVEs are ever seen in a live environment and, of those, only 5 percent have known exploits against them.
  • About one-third (32.3 percent) of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities aren’t patched within 90 days.
  • Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. And one of those, Oracle, was responsible for one-third. Java and Acrobat top the list of unpatched products.
  • One in four open vulnerabilities (25.7 percent) on enterprise systems was identified and entered into the National Vulnerability Database before 2015.

News in Depth

This second volume of the Prioritization to Prediction report builds upon research that Kenna Security and Cyentia Institute conducted in the spring of 2018. That effort analyzed all of the defined vulnerabilities with CVE numbers in the MITRE database to provide a top-down look at the state of the global vulnerability landscape and quantify the theoretical effectiveness of remediation strategies.

That original report found that an extremely small subset of known vulnerabilities is ever exploited in the wild. Companies, however, did not have reliable methods to predict which vulnerabilities, when announced, were at high risk of exploitation. It made the case that most remediation strategies were about as effective as random chance. It also showed how risk-based remediation strategies driven by machine learning could make accurate predictions and increase the efficiency of security operations by reducing the amount of time spent patching low-risk vulnerabilities.

The data analyzed in this most recent report was pulled from the Kenna Security Platform, a cloud-based vulnerability management system used by some of the world’s largest enterprises. The platform integrates data from every vulnerability scanner on the market. Prioritization to Prediction: Getting Real About Remediation moves beyond theoretical remediation effectiveness to reveal the actual results of vulnerability remediation strategies within real-world enterprise environments. Kenna Security and Cyentia Institute looked to answer three main questions:

  1. What proportion of vulnerabilities are observed and open across 500+ organizations and 3+ billion assets?
  2. How comprehensive and efficient are organizational vulnerability remediation practices in reality?
  3. How long does it take to remediate vulnerabilities across the network? Does time-to-remediate differ among firms?

The answers to these and other questions provide a never-before-seen look at the vulnerability remediation practices, timelines, and outcomes in the modern enterprise. These insights can be applied to business remediation strategies to help organizations understand how to begin prioritizing the 15.6 percent of vulnerabilities that will ultimately reduce the greatest amount of risk for their organization.

Supporting Quotes

Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute

“Kenna’s data demonstrates a much brighter picture for enterprise security. Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organizations effectively manage cyber risk and improve security.”

Additional Resources

Cyentia Institute

The Cyentia Institute is a Virginia-based research services firm that exists to advance cybersecurity knowledge and practice through use-inspired, data-driven research. Cyentia curates and publishes research for the community, partners with other organizations to create compelling publications and helps enterprises turn complex security data into confident strategic decisions.

About Kenna Security

Kenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.

###

Media & Analyst Contact:
Matt McLoughlin
Gregory FCA for Kenna Security
Phone: 610-228-2123
Email: matt@gregoryfca.com