Enterprises face more than 100 critical vulnerabilities per day
Enterprises identify 870 unique vulnerabilities on their systems every day, on average. Of those, more than 100 are rated as critical on the common vulnerability scoring system (CVSS) according to a new report.
The Vulnerability Intelligence Report from cyber risk company Tenable is based on analysis of anonymized data from 900,000 vulnerability assessments across 2,100 enterprises.
It estimates that the industry is on track to disclose up to 19,000 new vulnerabilities in 2018, an increase of 27 percent over 2017. Yet in 2017, public exploits were available for only seven percent of all vulnerabilities, meaning that 93 percent of all vulnerabilities posed only theoretical risk. For most a working exploit is never developed and of those, an even smaller subset is actively weaponized by threat actors, making it difficult to know which vulnerabilities to remediate first, if at all.
"When everything is urgent, triage fails. As an industry, we need to realize that effective reduction in cyber risk starts with effective prioritization of issues," says Tom Parsons, senior director of product management at Tenable. "To keep up with the current volume and velocity of new vulnerabilities, organizations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game. This means organizations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used."
To address the flood of vulnerabilities Tenable is announcing a Predictive Prioritization system, to help identify those that have the greatest real-world risk.