Companies Leave Vulnerabilities Unpatched for up to 120 Days, Kenna Security Finds
Share with Your Network
SAN FRANCISCO, CA–(Marketwired – Sep 29, 2015) – Kenna, a risk and vulnerability intelligence platform, today released its report, “The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks,” which studied the proliferation of non-targeted attacks and companies’ ability to mitigate these threats through the timely remediation of security vulnerabilities in their software and network devices. Kenna analyzed 50,000 organizations, 250 million vulnerabilities, and over one billion breach events from January 2014 through September 2015, and found that companies are regularly leaving vulnerabilities open for longer than it takes attackers to exploit them.
Unlike more widely publicized Advanced Persistent Threats, non-targeted attacks pose a much different challenge for security organizations. Rather than targeting a specific company, attackers attempt to exfiltrate valuable data from as many companies as possible, relying on automated tools and techniques to scale their attacks and exploit commonly found vulnerabilities. The recent discovery of the Heartbleed vulnerability in the OpenSSL brought this to the forefront as a threat that exploited multiple targets at once.
“The public has grown plenty familiar with hackers seeking out a specialized target, such as Ashley Madison. But automated, non-targeted attacks still remain the most significant threat to businesses of all sizes,” said Karim Toubba, CEO of Kenna. “Every company has data that hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers.”
Key findings from the “The Remediation Gap” report include:
- Automated attacks are on the rise: There have been over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits witnessed in 2013 and 2014 combined — an increase of 445 percent.
- Remediation takes time: Despite the best intentions, most companies take an average of 100-120 days to remediate found vulnerabilities. However, many companies have critical vulnerabilities that go unpatched altogether.
- Exploitation is almost guaranteed: The probability of a vulnerability being exploited hits 90 percent between 40-60 days after discovery, indicating that the length of time a company has to react to vulnerabilities before attackers strike is within 40-60 days of release for well-known vulnerabilities. This creates a remediation gap, or time that a vulnerability is most likely to be exploited before it is closed, of nearly 60 days.
The report also profiles a sampling of significant vulnerabilities that are frequently left unclosed, but remain popular targets for hackers, demonstrating that remediation is often prioritized by which vulnerabilities are top of mind for security teams, rather than by which vulnerabilities are most likely to be exploited or could cause the most damage.
The ease and speed at which hackers can conduct non-targeted attacks make them a ubiquitous threat to all companies. Businesses cannot rely solely on manual techniques to combat automated attacks, but should seek automated methods that leverage computational models and algorithms to prioritize remediation based on actual risk.
“Companies will continue to face the cold reality that throwing people at the problem is no longer sufficient for remediating vulnerabilities and combatting the sheer volume of automated attacks,” said Toubba. “They need solutions that are as automated as the attacks that continue to hammer them — fixing vulnerabilities manually is no longer possible in the ‘new normal.'”
To download and view the complete report, please visit: https://www.kennasecurity.com/resources/non-targeted-attacks-report
Kenna is a software-as-a-service risk and vulnerability intelligence platform that accurately measures risk and prioritizes remediation efforts before an attacker can exploit an organization’s weaknesses. Kenna accomplishes this by automating the correlation of customer vulnerability data, threat data, and 0-day data, analyzing security vulnerabilities against active Internet breaches. For more information, visit kennasecurity.com.