More Resources Don’t Lead to Better or Faster Vulnerability Management, Kenna Security report finds

Mar 12, 2019

Share with Your Network

Research conducted by Kenna Security and Cyentia Institute reveals industry benchmark for patching strategy

SAN FRANCISCO, Calif., March 12, 2019

Ed Bellis, CTO at Kenna Security

“This research shows that the playbook for patching vulnerabilities varies widely by industry and the complexity of an organization. The quickest industries, on average, patch vulnerabilities four to five times faster than the slowest. However, the velocity at which they remediate vulnerabilities doesn’t always correlate directly to their security posture. This report offers a rare view into the ways organizations and their industry peers address security, enabling them to benchmark their own practices.”

News Summary

Kenna Security, a leader in predictive cyber risk, today released Prioritization to Prediction, Volume 3: Winning the Remediation Race, showing that bigger companies aren’t necessarily better at patching security holes.

In its research, Kenna found that companies, on average, have the ability to close about one out of every ten vulnerabilities. This remarkably strong correlation stays constant as firms grow, demonstrating that, on average, cybersecurity teams cannot increase their rate of remediation with the available tools.

This finding is most clear for large organizations in which, on average, it takes 254 days to remediate 75 percent of high-risk vulnerabilities, while small organizations typically accomplish this in 59 fewer days. However, top performing companies are remediating one in four vulnerabilities, outperforming the mean and patching 2.5 times more vulnerabilities than the average organization.

The most recent report also found that:

  • There is a noticeably shorter survival time for exploited vulnerabilities, compared to vulnerabilities with no known exploits.
  • For larger organizations, the 50 percent to 75 percent interval for closing vulnerabilities with no known exploits is extremely long, suggesting that these organizations have accepted their lack of capacity to fix everything and have instead shifted resources to address high risk vulnerabilities.
  • Firms patched half of all vulnerabilities in Microsoft software within 37 days. It took 15 times longer to address vulnerabilities affecting Oracle, HP, and IBM products. Moving from 50 percent to 75 percent remediation takes multiple years for several vendors.
  • Organizations are getting better at prioritizing critical vulnerabilities. Companies patched 50 percent of their high-risk vulnerabilities within 62 days. Top performing companies put through half of all high priority patches within 31 days, and 75 percent of them within 98 days.
  • Comparing the total volume of high-risk vulnerabilities against the number of vulnerabilities each organization remediated per month, 33 percent of the organizations are gaining ground by remediating more vulnerabilities than were discovered.
  • Roughly 17 percent of organizations are maintaining pace with new high-risk vulnerabilities, while 50 percent of organizations are falling behind, remediating fewer vulnerabilities than the volume of high-risk vulnerabilities discovered per month.

News in Depth

Produced in conjunction with the Cyentia Institute, the third volume of Kenna’s Prioritization to Prediction series, explores and analyzes the vulnerability management landscape. It uses data from the Kenna Security Platform to conduct a granular, in-depth analysis of the behavior and safety of more than 300 organizations.

The research builds on two previous Prioritization to Prediction reports. The first, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies, showed that the most common vulnerability remediation strategies used by large enterprises were about as effective as random chance. That’s because just two percent of vulnerabilities are ever deployed in an attack. That report further made the case that predicting the likelihood that a vulnerability would be exploited was an effective method of prioritization.

For the second report, Prioritization to Prediction: Getting Real About Remediation, researchers from Kenna Security and Cyentia Institute analyzed 3 billion vulnerabilities managed across 12 organizations and 55 sources of external intelligence. The research provided an unprecedented look at the size and scope of cybersecurity challenges at major companies. The results showed the companies had remediated more than 2 billion vulnerabilities on their systems, 544 million of which were deemed “high-risk.” Those results indicated that companies had the resources to drastically improve security, provided they had a method to identify high risk vulnerabilities.

Supporting Quotes

Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute

“For this report, we analyzed real-world vulnerability management strategies from hundreds of organizations. We found that it is possible to get ahead of new high-risk vulnerabilities over time. Of course, that outcome depends on whether organizations have the information to prioritize those vulnerabilities for remediation.”

Scott Crawford, Research Director, Information Security, 451 Research

“Data science and machine learning are already making significant contributions to the cybersecurity industry. CISOs and operations teams alike have an unprecedented opportunity to derive intelligence from these techniques to refine and evolve remediation strategies and improve their organizations’ risk profiles. The Prioritization to Prediction series capitalizes on these advances, giving practitioners a more detailed and objective view of vulnerability management strategies.”

Additional Resources

Cyentia Institute

The Cyentia Institute is a Virginia-based research services firm that exists to advance cybersecurity knowledge and practice through use-inspired, data-driven research. Cyentia curates and publishes research for the community, partners with other organizations to create compelling publications and helps enterprises turn complex security data into confident strategic decisions.

About Kenna Security

Kenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.


Media & Analyst Contact:
Matt McLoughlin
Gregory FCA for Kenna Security
Phone: 610-228-2123



© 2022 Kenna Security. All Rights Reserved. Privacy Policy.