New Kenna Security Research Validates Efficacy of Automated Patching, Provides a Playbook for CISOs

Apr 21, 2020

Share with Your Network

SAN FRANCISCO, Calif., April 21, 2020 — Kenna Security, the enterprise leader in risk-based vulnerability management, has released new research that quantifies, for the first time, the comparative risk surface of using assets based on Microsoft, Apple, Linux, or Unix platforms, as well as network devices. The research found that asset mix plays a key role in determining the number of security vulnerabilities an organization has to contend with every month and its ability to minimize cyber risk.

“This research sheds light on some of the big questions in enterprise environments and vulnerability management. Are some assets riskier than others?” said Ed Bellis, co-founder and CTO at Kenna Security. “Some assets have fewer vulnerabilities. Some assets receive lightning-fast patches. These groups don’t really overlap. The data we’re sharing can help enterprise IT and security better decide how to prioritize asset-based risk in their own environments.”

For example, 70 percent of all Microsoft assets in enterprise IT environments had at least one high-risk vulnerability, but Microsoft products tended to be patched faster than other systems because of the company’s steady cadence of automated patches. A Windows-based asset has an average of 119 vulnerabilities per month. Those vulnerabilities are patched within 36 days on average. For comparison, network devices like routers, printers, or Internet of Things appliances had an average of 3.6 vulnerabilities every month, but it takes an average of one year to fix them. 

The research, Prioritization to Prediction, Volume 5: In Search of Assets at Risk, was conducted by the Cyentia Institute using Kenna Security data from 9 million assets at 450 organizations. Half of the organizations in the sample manage more than 800 active assets, but 10 percent manage over 35,000, and some manage more than 1 million. In more than half of the organizations, Windows 10 PCs comprised at least 85 percent of assets in use.

Despite higher patch rates, the sheer number of Microsoft machines leads to large numbers of unpatched vulnerabilities on those networks. In the study period, researchers found a combined 215 million vulnerabilities on Microsoft machines, 179 million of which were patched. The remaining 36 million unpatched vulnerabilities on Microsoft machines exceeds the total number of vulnerabilities – patched or unpatched – found on Mac, Linux, Unix, or network devices combined, despite the fact that Microsoft assets were patched at a higher rate than all other asset classes. 

Apple devices using OSX had the second-highest critical patch rate of all asset classes, at 79 percent. Just two-thirds of high-risk vulnerabilities on Linux, Unix, or network devices were patched.

“With automated patching and “Patch Tuesdays,” the speed at which Microsoft is able to fix critical vulnerabilities on their systems is remarkable, but there still tend to be a lot of them,” Wade Baker, partner and founder at Cyentia Institute. “On the other hand, we see lots of assets like routers and printers where high-risk vulnerabilities have a longer shelf life. Companies need to align their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs.”

Additional Resources

About Kenna Security

Kenna Security is the enterprise leader in risk-based vulnerability management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. Headquartered in San Francisco, Kenna serves nearly every major vertical and counts CVS, KPMG, HSBC, and many Fortune 100 companies among its customers.



Media & Analyst Contact: 
Matt McLoughlin
Gregory FCA for Kenna Security
Phone: 609-385-2058

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.