Enterprise defenders have to deal with a massive number of vulnerabilities every month, and while that volume isn’t likely to drop off any time soon, new data shows that companies continue to improve the speed and efficiency with which they’re patching those flaws.
It can be tempting to think of vulnerability management and patching as the same thing, but that’s not really accurate. Patching is one component of vulnerability management, a broader discipline that also requires assessments, prioritization, and mitigation of vulnerabilities within an environment. Determining which bugs are the most serious, pose the biggest risk to the organizations, and require the most immediate attention is vital for enterprises, especially those with limited resources. But focusing on higher-risk vulnerabilities can provide a good return, by removing the most likely initial access vectors for attackers.
Data compiled by Kenna Security from measurements of its customers’ remediation efforts shows that companies are fixing more of those high-risk vulnerabilities faster now than they were just a year ago. Looking at the time it takes for organizations to fix 50 percent of the occurrences of a given vulnerability in their systems, Kenna found that time had dropped from 158 days last year to just 27 days this year. That measurement shows a steep curve in the number of companies patching in the first couple of months after a high-risk vulnerability is disclosed, and then it gradually flattens out as you get three or six or nine months past the initial publication. For high-risk flaws--which Kenna defines as those for which exploit code is available or exploitation activity has been seen in the wild--patching as quickly as possible is crucial.
“We like to apply that lens to it because the high-risk vulnerabilities are the ones that matter the most, and people are definitely getting better at patching those over time,” said Ed Bellis, CTO and founder of Kenna Security.
“We would expect companies to get better, especially with the higher-risk stuff. But the velocity of patching has increased as well for the higher-risk vulnerabilities.”
“Companies that are really good at patching have a lot of automation and tooling in place."
Kenna’s data, which is collected from the company’s customers in a broad range of verticals, shows that 78 percent of the high-risk flaws are patched within six months, and that more than 13 percent of those vulnerabilities are still unpatched a year after the fix was released. That’s a wide window of exposure for attackers to climb through, and adversaries certainly pay attention to patch release cycles amd know when MIcrosoft, Oracle, Cisco, and other large vendors push out fixes. For high-visibility bugs, like the Exchange vulnerabilities disclosed last month or the F5 bugs revealed recently, attackers are quite likely to go after them quickly, knowing that defenders will prioritize those patches and take many vulnerable machines off the table quickly. Many larger organizations also have automated processes in places to deploy patches that come out on a regular schedule, as MIcrosoft’s do.
But that still leaves plenty of green field for attackers to target vulnerabilities in less-visible applications and devices.
“Companies that are really good at patching have a lot of automation and tooling in place. The massive volume of patches is coming from companies like Microsoft, but so is most of the remediation that companies are doing,” Bellis said.
“People have gotten very good at patching Microsoft vulnerabilities and they have probably operationalized it. But as they get farther away from that, to things like Linux boxes, bespoke applications, IoT devices, and that kind of thing, it’s a different story.”
It’s important to note, Bellis said, that Kenna’s customers are clearly a self-selecting population of enterprises that take a risk-based approach to vulnerability management, so they are likely to be more mature in the patching and remediation activities. But the data from those organizations does paint a pretty clear picture of things trending in the right direction. In addition to the decrease in the half-life of a given vulnerability, Kenna also recorded an increase, from 66 percent to 71 percent, in the number of companies that are either breaking even or reducing the number of vulnerabilities in their systems in any 30-day period. This measurement, called capacity, shows that fewer companies were losing ground in that fight this year than last.
“That capacity metric slightly improved this year, but it’s improved more than anything else over the last three years,” Bellis said.