Tripwire evaluated how organizations are managing vulnerability risks and found that more than one in four (27 percent) globally have been breached as a result of unpatched vulnerabilities, with an even higher rate in Europe (34 percent).
Vulnerability management starts with visibility of the attack surface, and Tripwire’s report found that 59 percent of global organizations are able to detect new hardware and software on their networks within minutes or hours. However, this is a difficult manual effort for many; almost half (47 percent) report that less than half of their assets are discovered automatically, including 13 percent who don’t even use automatic discovery solutions.
“Finding vulnerabilities is just a part of an effective vulnerability management program,” said Tim Erlin, vice president of product management and strategy at Tripwire. “It’s important for organizations to focus on building a program instead of deploying a tool. Vulnerability management has to include asset discovery, prioritization, and remediation workflows in order to be effective at reducing risk.”
In assessing the attack surface for vulnerabilities, 88 percent of cybersecurity professionals said they run vulnerability scans, but the research found that organizations address vulnerabilities with varying degrees of effectiveness.
Compared with a past report, the use of authenticated scans has improved, with 63 percent saying they conduct authenticated scans as part of their vulnerability assessment. Despite this progress, more than one-third (39 percent) are still not scanning weekly – or more often – as recommended by industry standards.
Erlin added: “How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk. If you are not doing authenticated vulnerability scans, or not using an agent, then you are only giving yourself a partial picture of the vulnerability risk in your environment. And if you’re not scanning for vulnerabilities frequently enough, you’re missing new vulnerabilities that have been discovered, and you may miss assets that tend to go on and off the network, like traveling laptops.”
The ability to reduce vulnerability risks varies among organizations. According to Tripwire’s report, 16 percent of U.S. organizations said they only conduct vulnerability scans to meet compliance or other requirements. This rate was higher for European organizations, at 21 percent.
“Meeting a regulation or compliance requirement does not necessarily mean you’ve effectively managed your security risk,” Erlin concluded. “Compliance requirements are most often about protecting someone other than your organization. That might be the consumer or credit card companies or another entity. Securing your business requires that you define an acceptable level of risk and manage to that target.”
Fifty percent of cybersecurity professionals said they conduct vulnerability scans to reduce risk, but only have the bandwidth to focus on high-severity vulnerabilities. Nearly all respondents indicated that constraints like people and processes (78 percent) and budget (65 percent prevent them from addressing all of the vulnerabilities they want to tackle.