Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Patch Management

1/22/2019
09:15 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Enterprises Are Getting Smarter When It Comes to Patching Vulnerabilities – Study

A joint analysis from Kenna Security and the Cyentia Institute finds that enterprises are getting better at patching vulnerabilities, specifically by focusing on critical flaws as opposed to trying to fix very problem that is published.

Kenna Security has released the second volume of its ongoing analysis into the vulnerability landscape. The report, "Prioritization to Prediction: Getting Real About Remediation," has found that companies appear to have the resources needed to address all of their high-risk vulnerabilities.

The security firm notes that its research demonstrates that enterprises are getting smarter in how they protect themselves from threats, improving operational efficiency and resource allocation, while best managing their risk.

The research builds on Kenna Security's initial "Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies" report to show that companies are increasingly recognizing that the majority of vulnerabilities are never weaponized or exploited in a cyberattack. This initial report looked at which CVE attacks were actually showing up on enterprise computer systems.

That original report found an extremely small subset of known vulnerabilities is exploited in the wild. Companies, however, did not have reliable methods to predict which vulnerabilities, when announced, were at high risk of exploitation. It made the case that most remediation strategies were about as effective as random chance. It also showed how risk-based remediation strategies driven by machine learning could make accurate predictions and increase the efficiency of security operations by reducing the amount of time spent patching low-risk vulnerabilities.

Kenna found that only about one-third of all published CVEs are actually observed in live organizational environments. By "observed" they meant that at least one instance of that CVE was detected by a vulnerability scanner, discovered by a penetration test, or otherwise actually seen in an asset managed by a particular organization. In other words, it's reality rather than just theory.

This proportion of observed CVEs was found to vary somewhat depending on how the aperture of scope was changed. Looking across all time, they found that one-third statistic; 37k out of 108k of CVEs (34%) were observed by at least one organization.

Narrowing to the last 10 years of published CVEs pushes that ratio up a bit to just over 40%. When CVEs published since 2017 are considered, researchers found 36% of them observed within organizations.

Twenty-two percent -- or 300 plus million -- of all open vulnerabilities observed by organizations in their dataset were associated with CVEs published in 2018. Interestingly, over 75% remain open at least one year after the associated CVE was published.

This analysis was done by cybersecurity researchers from Kenna Security and Cyentia Institute. They looked at 3 billion vulnerabilities managed across more than 500 organizations and 55 sources of external intelligence. They used anonymized data from a sample of 12 enterprises that were selected to cover a range of industries, sizes, and remediation strategies.

In the new report, the researchers found that:

  • Organizations have closed 70% of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544 million high-risk vulnerabilities, organizations remediated 381 million, leaving 163 million open.
  • The data shows that organizations remediated a total of over 2 billion vulnerabilities, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. Kenna says that this can be accomplished by implementing remediation strategies that prioritize resources to tackle all of the 544 million high risk vulnerabilities first, only moving on to the 2.9 billion lower risk vulnerabilities afterward.
  • About one-third of all the published CVEs are ever seen in a live environment and, of those, only 5 percent have known exploits against them.
  • About one-third -- 32.3% -- of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities aren’t patched within 90 days.
  • Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. And one of those, Oracle, was responsible for one-third -- Java and Acrobat top the list of unpatched products. Microsoft eats the largest slice of the vulnerability pie in 2018, but has only a tiny sliver before 2015. It's hard to see anything other than Oracle among CVEs from 2012 to 2014, but that predominance lessens over time. Adobe seems to borrow a page from both, expanding and then contracting over the last year.
  • One in four open vulnerabilities -- 25.7% -- within enterprise systems was identified and entered into the National Vulnerability Database before 2015.

Jay Jacobs, data scientist at Cyentia Institute, noted: "Kenna's data demonstrates a much brighter picture for enterprise security. Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organizations effectively manage cyber risk and improve security.

Ed Bellis, co-founder and CTO at Kenna Security, wrote in an email to Security Now:

Kenna Security analyzed the entire database of CVEs and the threats to those CVEs in the 2018 report. This 2nd edition analyzes the CVE's (vulnerabilities) being observed in our customers environments, so these vulnerabilities actually exist in those enterprises. They are not just theoretical or definitions of vulnerabilities.

Bellis added: "We recommend that all five percent be prioritized and patched first. An enterprise could further prioritize how those CVEs are remediated based on a range of threat and business factors. For example, the criticality of the systems they reside on, if the vulnerability is being actively used by hackers in the wild, whether the exploit is able to be executed remotely, if the exploit lives in production code, etc."

On trying to determine which of the vulnerabilities should be patched by an enterprise Bellis noted that "the data set is focused on "likelihood," meaning targets of opportunity and not targeted attacks. An organization should conduct threat modeling of their business to determine the latter, but all organizations need to protect themselves from targets of opportunity."

Kenna is taking a contrarian approach to the usual "patch everything" advice. The research suggests patching what affects your enterprise first, and then do the other stuff when you get to it.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.