by Karim Toubba, CEO, Kenna Security
While there is no shortage of strategies, best practices, industry recommendations and white papers on the topic of vulnerability remediation; there is a shocking lack of quantitative research on how effective vulnerability prioritization and remediation strategies are in practice.
As a result, prioritization remains one of the biggest challenges in vulnerability management as effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have the highest priority.
Looking to address this information gap (and also test the effectiveness of our predictive models), we reached out to Wade Baker and Jay Jacobs, founders of the Cyentia Institute and two of the most brilliant minds in data analytics, to partner with Kenna Security and assess the current state of vulnerability remediation.
Kenna provided half a decade’s worth of our vulnerability data encompassing millions of data points from more than a dozen sources including threat intelligence feeds, real-time exploit activity and context provided by the Kenna Security Platform.
The results of this research can be reviewed in the new report, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies. For the first time, Kenna Security and the Central Institute provide a quantitative look at the effectiveness of common remediation strategies and used that data as a baseline to compare against a cutting-edge predictive model.
The full report provides deep insights into vulnerability lifecycles, the key factors that influence the remediation and prevention of vulnerabilities and quantifies the effectiveness of various vulnerability remediation strategies used to prioritize enterprise cybersecurity efforts.
Key Findings in the Report
The Volume and Velocity of Vulnerabilities Is Rapidly Increasing
In 2017, businesses had to decide how to address an average of 40 new vulnerabilities every single day (including weekends). Between its inception in 1999 and January 1, 2018, more than 120,000 vulnerabilities have been reserved in MITRE’s Common Vulnerabilities and Exposures (CVE) database, a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. 2017 saw the highest number of entries in the database, more than doubling the entries in 2016, and 2018 is trending to match or exceed those numbers.
Most Reported Vulnerabilities Aren’t Used by Hackers
Businesses need to find the needle in an ever-growing haystack — those vulnerabilities that pose the greatest risk. Out of the thousands of new vulnerabilities published every year, the vast majority (77 percent) never have exploits developed, and even fewer (less than two percent) are actively used in an attack. That means that today, most enterprises are wasting valuable time and resources guessing which two percent is the most dangerous and hoping the vulnerabilities they choose to address are the correct ones.
Speed Must Be a Priority
The greatest number of exploits is published in the first month (63 percent) after a vulnerability is released and 50 percent of exploits publish within two weeks of a new vulnerability. Thirteen percent publish within a month while only 1 percent of exploits emerge beyond a year after the vulnerability is made public. This means that businesses realistically only have 10 working days to find and fix the bulk of vulnerabilities.
Don’t Leave Remediation Efforts to Chance
Most current approaches to prioritizing and fixing vulnerabilities are roughly as effective or far less effective than addressing vulnerabilities at random. Researchers compared 15 different remediation strategies against a strategy of fixing vulnerabilities at random to provide a point of reference that illustrates the effectiveness of each strategy. More than half of the strategies were no more effective than leaving remediation to chance.
For example, the researchers compared remediating vulnerabilities for the 20 enterprise software vendors with the highest number of CVEs and found that, of the 56,188 CVEs that were prioritized for remediation because of the vendor associated with them, there is an efficiency (i.e. precision of remediation) of 12 percent and coverage (i.e. effectiveness of remediation) of 21 percent. Compare that against the baseline of randomly remediating 56,188 CVE’s which is nearly twice as efficient at 23 percent and delivers exactly twice the coverage at 42 percent.
A Predictive Approach to Vulnerability Prioritization
Researchers then analyzed the effectiveness of Kenna’s machine learning-based predictive model and found that it performs 2-8 times more efficiently, with equivalent or better coverage of vulnerabilities when compared against the 15 strategies assessed in the research. For example, when comparing the Kenna Exploit Prediction model against one of the most effective strategies of remediating vulnerabilities with a CVSS score of 7 or more, Kenna’s predictive model achieved:
- Twice the efficiency – 61% vs. 31%
- Half the effort – 19K vs. 37K CVEs to address
- Better coverage – 62% vs. 53%
The results of the research report are already being put to use by Kenna to inform the continued development of our solutions and further refinement of our predictive models to help our customers make the most efficient use of their people, tools, time and ultimately dollars to address the threats that pose the greatest risk. The above findings just begin to scratch the surface of the data included in the full report and I encourage business technology professionals to use this as a resource that helps them ensure their organizations aren’t leaving their remediation strategies to chance.
About the Author
Karim Toubba is the CEO of Kenna Security. He is an experienced security technology executive who is passionate about innovation, leadership and solving complex problems that matter. Before joining Kenna, he was Vice President of Global Security Channels at Juniper Networks. Karim also served as Vice President of Products and Strategy for SBU at Juniper, a billion-dollar security business, where he led product management, strategy, and technical marketing. Karim is a frequent speaker on panels, events and media outlets including Fox Business Network and Bloomberg TV. Karim can be reached online at @KennaSecurity and at our company website https://www.kennasecurity.com/