A Crisis of Context: The State of Vulnerability Management (Part 1)
By The Recorded Future Team on April 5, 2019
Evidence uncovered by analyst reports indicates that vulnerability management may very well have reached the crisis stage.
Simultaneously, constant news demonstrates that cybercriminals are exploiting vulnerabilities faster than ever, leaving IT teams, along with their information security counterparts, scrambling to patch, or worse, recover from a breach — especially if they do not have access to effective threat intelligence.
As the cost of recovering from security breaches escalates, IT teams need improved intelligence to make sense of the vast quantities of threat information available around vulnerabilities. Only then can they determine in advance when true threats are about to attack their company’s digital assets.
In this first of a three-part blog series, we examine the current state of vulnerability management as a method to manage information risk within an organization.
Has Vulnerability Management Reached the Crisis Stage?
Some might say that the state of vulnerability management has reached a state of crisis. Even in a best-case scenario, IT security practitioners are deeply concerned about their ability to protect the digital assets of their companies. A recent Ponemon Institute report cited by Brilliance Security Magazine illustrates the current level of anxiety:
- 61 percent of security practitioners don’t have access to adequate business-impact context when IT breaches occur.
- 56 percent are concerned about their inability to predict where or which assets could be compromised.
- 61 percent say their leaders do not recognize the criticality of vulnerability management in avoiding breaches.
Because other research underscores just how important it is to deploy a robust vulnerability management program, these findings should set off alarms. According to Gartner, approximately 8,000 vulnerabilities per year were disclosed over the past decade. In the same time frame, the amount of new software that has been released has grown immensely, increasing the target footprint for cybercriminals.
As a result, the number of threats has increased exponentially. Among those that resulted in successful breaches of network infrastructures in the past 10 years, only a small percentage was based on new vulnerabilities. This shows how most threats leverage the same small set of vulnerabilities.
Accelerated Time to Exploit Vulnerabilities Adds to Mitigation Costs
While zero-day threats draw the most attention from vulnerability management programs, the majority of new threats are actually variations on a previously-known attack method or theme, exploiting old vulnerabilities in slightly different ways. The number of vulnerabilities actually exploited on day zero make up only about 0.4 percent of all vulnerabilities exploited during the last decade.
Adding to the vulnerability management challenge, threat actors have accelerated the time it takes to exploit vulnerabilities. The same Gartner report referenced above found that the average time it takes between identifying a vulnerability and the appearance of an exploit in the wild has dropped by 66 percent — from 45 days to 15 days over the last decade.
This gives IT teams about two weeks to patch or remediate systems against a new exploit. If your team can’t patch your systems and applications that quickly, make sure you have a plan to mitigate the spread and impact the attack may have.
Threat Intelligence Holds the Key to Effective Vulnerability Management
At companies where a threat intelligence security solution has not been deployed, the productivity of the IT security team is also severely impacted when reacting to potential security breaches. An IDC white paper from 2018 that examined how organizations react to threats shows the vital role that intelligence plays in effective vulnerability management.
For example, it takes IT teams that do not use an effective threat intelligence solution 15.6 days to resolve threat issues — this is not good. That’s because without sufficient threat intelligence, threats are usually identified less than 10 hours before they impact IT networks, which is roughly two weeks too late.
Aside from the negative effects on business operations, the cost to mitigate threats without the right intelligence can also rise quickly. IDC found that enterprises typically require 2.4 full-time equivalent (FTE) IT resources to isolate and fix the damage caused by successful breaches. Given average breach activity, this adds up to almost 28 FTE days per year — at an estimated cost of $240,000 or more in resource time, according to the IDC report.
Gaining the Necessary Visibility to Defend IT Infrastructures
One of the key reasons why vulnerability management has reached the crisis stage is that IT teams struggle with gathering vast quantities of data, making sense of what the data means, and determining if true threats are knocking on their door. As these teams scramble to react, they then experience lower productivity and efficiency in their mitigation efforts.
The underlying cause of these vulnerability management challenges is the lack of access to effective threat intelligence. Without intelligence that puts security threats into context, IT teams lack the necessary visibility to evaluate what is occurring in real time. They also find it impossible to make prioritized, strategic decisions on how to defend their IT infrastructures and protect their company’s digital assets.
In the next blog in this series, we will discuss how failures in vulnerability management leave a company’s digital assets exposed to cybercriminals. In the meantime, for more information on how to leverage effective threat intelligence to improve your vulnerability management program, request a personalized demo.