When Vulnerability Management Stops Being Polite & Starts Getting Real

In my post in December, “Vulns Will Survive,” I shared some interesting data about the survivability rate of vulnerabilities in the enterprise. At the very end of the post, I promised to share more on what we found in our ongoing research with the Cyentia Institute. Well, I’m happy to tell you that we just released Prioritization to Prediction Volume 2: Getting Real About Remediation.” It offers an unprecedented window into the real-life cybersecurity activities at major companies.

Our first report was a more theoretical look at all of the defined vulnerabilities with CVEs in the National Vulnerability Database. It provided a top-down look at the state of the global vulnerability landscape and quantified the theoretical effectiveness of various remediation strategies. This latest research is a real-world analysis. We analyzed 3 billion vulnerabilities managed across 500+ organizations and 55 sources of external intelligence. We then took a deep dive into the true realities of remediation based on anonymized data from a sample of twelve enterprises. The report details the number of vulnerabilities that sit on organizations’ systems, how long it takes the cybersecurity teams to address the vulnerabilities, and which vendors or products contribute the most vulnerabilities, among other interesting data points.

The results highlight the state of cybersecurity and demonstrate how companies are lowering their risk by getting smarter in what vulnerabilities they remediate.

Some additional findings from the report:

  • Organizations closed 70 percent of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be.
  • Only one-third of published CVEs were observed in these organizations’ environments. Of those, only five percent had published exploit code associated with them.
  • About one-third (32.3 percent) of vulnerabilities are remediated within 30 days of discovery.
  • Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. Oracle was responsible for one-third of all open vulnerabilities. Java and Acrobat top the list of unpatched products
  • One in four open vulnerabilities (25.7 percent) on clients’ systems were identified and published in the National Vulnerability Database before 2015.


In our previous report with Cyentia, we introduced two important metrics to vulnerability management: coverage and efficiency. In that report we compared many of the theoretical remediation strategies using these new metrics. In this latest installment we were able to measure these in the real world where we were able to highlight a very important point.

Companies are often getting coverage for free.

Or put another way… vulnerability remediation isn’t always about fixing a single vulnerability. Examples often come in the form of a patch that fixes multiple vulnerabilities. That single patch may fix both critical and not-so-critical vulnerabilities. We took the time to analyze some of these organizations’ patching strategies and found overall they were doing pretty well.

How Kenna Security uses this data:

Data is at the heart of what we do. The Kenna Security Platform uses machine learning to help enterprises prioritize which vulnerabilities they should address first. This is important because vulnerabilities take time and resources to patch. Except all vulnerabilities aren’t made equal. As you can see from the research above, only a very small portion of vulnerabilities are ever weaponized with an exploit. There are a whole bunch of other factors that go into which vulnerabilities will become dangerous. The trick is to predict which vulnerabilities that pose the most risk, so that companies can use their resources effectively.

To read the full report, click here