Businesses can safely delay patching most vulnerabilities
Patching vulnerabilities is often seen as a key element of keeping systems secure. But a new report suggests businesses could be 'smarter' in their patching regimes and prioritize the issues that present most risk.
The study from Kenna Security suggests companies are increasingly recognizing that the majority of vulnerabilities are never weaponized or exploited in a cyberattack.
The data shows that organizations patched a total of over two billion vulnerabilities of the three billion seen over the survey period, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. This can be accomplished by implementing remediation strategies that prioritize resources to tackle all of the 544 million high risk vulnerabilities first, only moving on to the 2.9 billion lower risk vulnerabilities afterwards.
It also shows that about a third of all published CVEs are ever seen in a live environment and, of those, only five percent have known exploits against them. While 32.3 percent of vulnerabilities are fixed within 30 days of discovery, half of all vulnerabilities aren’t patched within 90 days.
Of the ten largest software vendors, three were responsible for 70 percent of open vulnerabilities. And one of those, Oracle, was responsible for one-third. Java and Acrobat top the list of unpatched products. One in four open vulnerabilities (25.7 percent) on enterprise systems was identified and entered into the National Vulnerability Database before 2015.
"In our ongoing mission to apply the tenets of data science to cybersecurity, we have begun to benchmark the realities of vulnerability remediation strategies" says Ed Bellis, CTO at Kenna Security. "We've found that remediating the riskiest vulnerabilities is within reach for many organizations. Despite recent high-profile data breaches, our findings show that enterprises can and should delay efforts to remediate a majority of vulnerabilities, which often number in the millions. Most vulnerabilities pose little to no danger of being exploited. That means companies can prioritize their resources to tackle the five percent of threats that pose the greatest risk."
More detail is available in the full report which you can get from the Kenna website.