The importance of effective vulnerability remediation prioritization
Too many organizations have yet to find a good formula for prioritizing which vulnerabilities should be remediated immediately and which can wait.
According to the results of a recent Tenable research aimed at discovering why some flaws go unpatched for months and years, vulnerabilities with exploits show roughly the same persistence as those with no available exploit.
“Defenders are still operating as though all vulnerabilities have the same likelihood of exploitation,” says Lamine Aouad, Staff Research Engineer at Tenable.
The research has also revealed that:
- In organizations that have remediated at least one instance of a vulnerability, nearly one-third of all detected vulnerabilities remain open after a year, and over one-quarter are never remediated – and the percentages are similar for vulnerabilities with exploits
- It takes organizations a median of 29 days to assess the existence of a vulnerability in their environment and a median of 40 days to remediate all instances of it
- The most persistent vulnerabilities are:
- Client-side vulnerabilities
- Vulnerabilities in difficult-to-update/upgrade software
- Vulnerabilities with larger affected software lists
“The more operating systems and product versions a vulnerability affects, the harder it is to fix, leading to persistence. A larger list of CPEs would also reflect a bigger volume of assets in many cases and consequently a higher difficulty to remediate comprehensively by just sheer volume,” Aouad told Help Net Security.
“CVE-2018-8353, CVE-2018-8355 and CVE-2018-8373 are remote memory-corruption vulnerabilities, affecting multiple versions of Internet Explorer, which could allow remote attackers to execute arbitrary code. Their persistence is most likely related to the list of CPEs or affected software configurations.”
Only 5.5 percent of organizations remediate more vulnerabilities than they discover during a given timeframe, Tenable found.
Whether for the lack of resources, effective remediation processes, or simply the staggering amount of newly disclosed vulnerabilities, most organizations cannot keep up with the flow of vulnerabilities they assess in their environment.
Finding the right approach to vulnerability remediation prioritization
Effective vulnerability remediation prioritization is important, but using vulnerabilities’ CVSS scores as the basis for making decisions is not a good choice, as it does not reflect the risk a vulnerability poses to the organization.
CVSS scores can be one element of an effective prioritization formula, but organizations must also take into consideration factors such as whether a vulnerability:
- Is actively exploited
- Is prevalent in their environment and widely present in other organizations’ environments
- Affects critical assets within their environment
- Is targeted via existing attacker toolkits, etc.