Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Patch Management

09:15 AM
Larry Loeb
Larry Loeb
Larry Loeb

Enterprises Are Getting Smarter When It Comes to Patching Vulnerabilities Study

A joint analysis from Kenna Security and the Cyentia Institute finds that enterprises are getting better at patching vulnerabilities, specifically by focusing on critical flaws as opposed to trying to fix very problem that is published.

Kenna Security has released the second volume of its ongoing analysis into the vulnerability landscape. The report, "Prioritization to Prediction: Getting Real About Remediation," has found that companies appear to have the resources needed to address all of their high-risk vulnerabilities.

The security firm notes that its research demonstrates that enterprises are getting smarter in how they protect themselves from threats, improving operational efficiency and resource allocation, while best managing their risk.

The research builds on Kenna Security's initial "Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies" report to show that companies are increasingly recognizing that the majority of vulnerabilities are never weaponized or exploited in a cyberattack. This initial report looked at which CVE attacks were actually showing up on enterprise computer systems.

That original report found an extremely small subset of known vulnerabilities is exploited in the wild. Companies, however, did not have reliable methods to predict which vulnerabilities, when announced, were at high risk of exploitation. It made the case that most remediation strategies were about as effective as random chance. It also showed how risk-based remediation strategies driven by machine learning could make accurate predictions and increase the efficiency of security operations by reducing the amount of time spent patching low-risk vulnerabilities.

(Source: Pixabay)
(Source: Pixabay)

Kenna found that only about one-third of all published CVEs are actually observed in live organizational environments. By "observed" they meant that at least one instance of that CVE was detected by a vulnerability scanner, discovered by a penetration test, or otherwise actually seen in an asset managed by a particular organization. In other words, it's reality rather than just theory.

This proportion of observed CVEs was found to vary somewhat depending on how the aperture of scope was changed. Looking across all time, they found that one-third statistic; 37k out of 108k of CVEs (34%) were observed by at least one organization.

Narrowing to the last 10 years of published CVEs pushes that ratio up a bit to just over 40%. When CVEs published since 2017 are considered, researchers found 36% of them observed within organizations.

Twenty-two percent -- or 300 plus million -- of all open vulnerabilities observed by organizations in their dataset were associated with CVEs published in 2018. Interestingly, over 75% remain open at least one year after the associated CVE was published.

This analysis was done by cybersecurity researchers from Kenna Security and Cyentia Institute. They looked at 3 billion vulnerabilities managed across more than 500 organizations and 55 sources of external intelligence. They used anonymized data from a sample of 12 enterprises that were selected to cover a range of industries, sizes, and remediation strategies.

In the new report, the researchers found that:

  • Organizations have closed 70% of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544 million high-risk vulnerabilities, organizations remediated 381 million, leaving 163 million open.
  • The data shows that organizations remediated a total of over 2 billion vulnerabilities, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. Kenna says that this can be accomplished by implementing remediation strategies that prioritize resources to tackle all of the 544 million high risk vulnerabilities first, only moving on to the 2.9 billion lower risk vulnerabilities afterward.
  • About one-third of all the published CVEs are ever seen in a live environment and, of those, only 5 percent have known exploits against them.
  • About one-third -- 32.3% -- of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities aren’t patched within 90 days.
  • Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. And one of those, Oracle, was responsible for one-third -- Java and Acrobat top the list of unpatched products. Microsoft eats the largest slice of the vulnerability pie in 2018, but has only a tiny sliver before 2015. It's hard to see anything other than Oracle among CVEs from 2012 to 2014, but that predominance lessens over time. Adobe seems to borrow a page from both, expanding and then contracting over the last year.
  • One in four open vulnerabilities -- 25.7% -- within enterprise systems was identified and entered into the National Vulnerability Database before 2015.

Jay Jacobs, data scientist at Cyentia Institute, noted: "Kenna's data demonstrates a much brighter picture for enterprise security. Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organizations effectively manage cyber risk and improve security.

Ed Bellis, co-founder and CTO at Kenna Security, wrote in an email to Security Now:

Kenna Security analyzed the entire database of CVEs and the threats to those CVEs in the 2018 report. This 2nd edition analyzes the CVE's (vulnerabilities) being observed in our customers environments, so these vulnerabilities actually exist in those enterprises. They are not just theoretical or definitions of vulnerabilities.

Bellis added: "We recommend that all five percent be prioritized and patched first. An enterprise could further prioritize how those CVEs are remediated based on a range of threat and business factors. For example, the criticality of the systems they reside on, if the vulnerability is being actively used by hackers in the wild, whether the exploit is able to be executed remotely, if the exploit lives in production code, etc."

On trying to determine which of the vulnerabilities should be patched by an enterprise Bellis noted that "the data set is focused on "likelihood," meaning targets of opportunity and not targeted attacks. An organization should conduct threat modeling of their business to determine the latter, but all organizations need to protect themselves from targets of opportunity."

Kenna is taking a contrarian approach to the usual "patch everything" advice. The research suggests patching what affects your enterprise first, and then do the other stuff when you get to it.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...