Study claims enterprise vulnerability remediation can take 120 days

A new study by Kenna Security Inc. found that when an enterprise takes on the task of remediating a vulnerability it takes an average of 100 to 120 days to complete that process. Unfortunately, vulnerability weaponization is a much faster process; and worse, many flaws go unpatched.

Kenna analyzed 50,000 organizations, 250 million vulnerabilities and over 1 billion breach events from January 2014 to September 2015. The company found that the likelihood of a vulnerability being exploited hits 90% between 40 and 60 days after discovery.

Karim Toubba, CEO at Chicago-based Kenna Security, noted that the company wanted to ensure its conclusions were correct in this regard and took a somewhat conservative approach to when an enterprise vulnerability was counted as being weaponized.

“For the purposes of our research, we only ‘counted’ a vulnerability as being weaponized once we saw thousands of hits. That told us that the attack was really happening, and that someone was behind it,” Toubba said. “We wanted to be sure, and therefore, we used 10,000 successful attacks as our cutoff. This metric guided us to ensuring that our core insight was correct — that, using the aggregate of the companies in our sample data, we saw exploits happening within 45 days — and that’s a very conservative estimate. It may well be true that vulnerabilities are weaponized much, much faster than that — and we believe they are — but we wanted to set a higher bar for the purposes of our research.”

Jerome Segura, senior security researcher at Malwarebytes Labs in San Jose, Calif., said that his team has seen vulnerabilities weaponized in as little as days or even hours, but warned that the action plan for vulnerability remediation can change based on the severity and distribution method of the vulnerability.

“If a vulnerability allowed remote code execution and a proof of concept for it already exists, then the vendor should reassess its decision. Of course, one should take into account the required steps needed to reproduce that vulnerability, and whether or not this is a likely scenario an attacker could abuse,” Segura said. “In terms of evaluating the actual impact in the wild, it depends on the distribution method. For example, if a new exploit or zero-day is added to an exploit kit, it is clear that there will be an immediate and large amount of users affected.”

All of this applies only to those vulnerabilities that were remediated, though. Toubba said enterprises often have large backlogs of flaws to work through, meaning many never get fixed.

“When our report makes the point that, on average, it takes 100 days to remediate a vulnerability — that’s just for the ones that  do  get fixed,” Toubba said. “It’s not factoring in all of the hundreds of thousands that aren’t being touched by internal security teams.”

Toubba agreed with Segura in saying that prioritizing the most severe vulnerabilities can go a long way in cutting down the gap between remediation and a potential attack. Toubba said one way to help this process is through automation, because Kenna’s study also found that automated attacks rose from 220 million successful exploits in 2013 and 2014 combined to 1.2 billion in 2015 to date.

“The real goal is to automate everything possible. There are more automated approaches to prioritizing and remediating vulnerabilities — approaches as automated as nontargeted attacks themselves,” Toubba said. “InfoSec teams need to challenge themselves to do away with everything that’s manual, and instead evaluate new platforms and resources [that] can help them move at scale.”

Segura said that automating vulnerability remediation is easier said than done, because there are costs both for developers and enterprises.

“Vulnerability remediation is not just a final check that vendors run before shipping out a product or an update, but rather a continuous effort that starts at the software design level with best coding practices and so on,” Segura said. “And patching a flaw can be done in different ways: applying a temporary Band-Aid or going for the root cause. The latter is more time consuming, but more effective. Getting to the right balance between the two is something to strive for in order to provide a fix that will be effective and last.”