Should enterprises delay efforts to remediate most vulnerabilities?

Companies today appear to have the resources needed to address all of their high-risk vulnerabilities. The research demonstrates that companies are getting smarter in how they protect themselves from today’s cyber threats, improving operational efficiency and resource allocation, while best managing risk.

delay patching

Cybersecurity researchers from Kenna Security and Cyentia Institute analyzed 3 billion vulnerabilities managed across 500+ organizations and 55 sources of external intelligence. They then took a deep dive into the realities of remediation using anonymized data from a sample of 12 enterprises that were selected to cover a range of industries, sizes, and remediation strategies.

They found that:

  • Organizations have closed 70 percent of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544 million high-risk vulnerabilities, organizations remediated 381 million, leaving 163 million open.
  • The data shows that organizations remediated a total of over 2 billion vulnerabilities, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. This can be accomplished by implementing remediation strategies that prioritize resources to tackle all of the 544 million high risk vulnerabilities first, only moving on to the 2.9 billion lower risk vulnerabilities afterward.

“In our ongoing mission to apply the tenets of data science to cybersecurity, we have begun to benchmark the realities of vulnerability remediation strategies. We’ve found that remediating the riskiest vulnerabilities is within reach for many organizations. Despite recent high-profile data breaches, our findings show that enterprises can and should delay efforts to remediate a majority of vulnerabilities, which often number in the millions. Most vulnerabilities pose little to no danger of being exploited. That means companies can prioritize their resources to tackle the five percent of threats that pose the greatest risk,” said Ed Bellis, CTO at Kenna Security.

delay patching

Additional key findings include:

  • About one-third of all the published CVEs are ever seen in a live environment and, of those, only 5 percent have known exploits against them.
  • About one-third (32.3 percent) of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities aren’t patched within 90 days.
  • Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. And one of those, Oracle, was responsible for one-third. Java and Acrobat top the list of unpatched products.
  • One in four open vulnerabilities (25.7 percent) on enterprise systems was identified and entered into the National Vulnerability Database before 2015.

“Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organizations effectively manage cyber risk and improve security,” said Jay Jacobs, data scientist, Cyentia Institute.