Kenna Security and Cyentia Institute Research Report Assesses the Effectiveness, Efficiency and Effort of Today’s Enterprise Remediation Strategies
Karim Toubba, CEO, Kenna Security
“Effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have highest priority, but prioritization remains one of the biggest challenges in vulnerability management. Businesses can no longer afford to react to cyber threats, as the research shows that most common vulnerability remediation strategies are about as effective as rolling dice. But there is hope – a predictive model based on cutting-edge data science is more efficient, requires less effort, and provides better coverage of an enterprises’ attack surface.”
Kenna Security, a leader in predictive cyber risk, today unveiled a new research report it conducted in partnership with the Cyentia Institute that provides an industry-first analysis of today’s common vulnerability management strategies. The research report, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies, includes deep insights into vulnerability lifecycles, the key factors that influence the remediation and prevention of vulnerabilities, and the effectiveness of various vulnerability remediation strategies used to prioritize enterprise cyber security efforts.
Kenna Security and Cyentia Institute analyzed five years of historical vulnerability data compiled from over 15 sources to uncover the key findings in the report:
- The Volume and Velocity of Vulnerabilities Is Rapidly Increasing: In 2017, businesses had to decide how to address an average of 40 new vulnerabilities every single day (including weekends). 2017 saw the highest number of year-over-year entries in the database, more than doubling the entries in 2016, and 2018 is trending to match or exceed those numbers.
- Most Reported Vulnerabilities Aren’t Used by Hackers: Businesses need to find the needle in an ever-growing haystack, the vulnerabilities that pose the greatest risk. Out of the thousands of new vulnerabilities published every year, the vast majority (77 percent) never have exploits developed, and even fewer (less than 2 percent) are actively used in an attack.
- Speed Must Be a Priority: The greatest number of exploits are published in the first months after a vulnerability is released and 50 percent of exploits publish within two weeks of a new vulnerability, meaning that businesses realistically only have 10 working days to find and fix the riskiest vulnerabilities.
- Don’t Leave Remediation Efforts to Chance: Most current approaches to prioritizing and fixing vulnerabilities are roughly as effective or far less effective than addressing vulnerabilities at random. Researchers compared 15 different remediation strategies against a strategy of fixing vulnerabilities at random to provide a point of reference that illustrates the effectiveness of each strategy. More than half of the strategies were no more effective than chance
- A Predictive Approach to Vulnerability Prioritization: Researchers then analyzed the effectiveness of Kenna’s machine learning-based predictive model and found that it performs 2-8 times more efficiently, with equivalent or better coverage of vulnerabilities when compared against the 15 strategies assessed in the research.
Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute
“Cyentia is committed to delivering data-driven research to help the practitioners and decision-makers responsible for protecting an enterprise’s assets, which average 18-24 million vulnerabilities across 60,000 assets. Partnering with leading cybersecurity industry vendors like Kenna Security to track published exploits and actively exploited vulnerabilities enables us to measure, compare and explore various prioritization methods and advance the art and science of vulnerability management.”
Jon Oltsik, senior principal analyst, Enterprise Strategy Group (ESG)
“In the past, we used analog tuning to define which systems were considered mission-critical, but this didn’t provide a level of useful granularity. Fast forward to 2018, and risk-based intelligent vulnerability management platforms, including Kenna, can now consume terabytes of configuration data, asset data, vulnerability data, and threat intelligence to create a fine-grained analysis of which systems really need immediate patching against current threats. Now these systems are moving beyond real-time assessments by forecasting weaponization and risk well before an attack is possible. This proactive approach can provide insight and help organizations anticipate attacker behavior.”
- View the Executive Summary and download the report, Prioritization to Prediction:Analyzing Vulnerability Remediation Strategies
- Read Don’t Leave Vulnerability Management to Chance, on the Kenna Security Blog.