There is no shortage of software vulnerabilities, but not all flaws have equal severity and only a subset must be patched immediately. That’s one of the core themes from a report released by Kenna Security and the Cyentia Institute on Jan. 22, titled “Prioritization to Prediction: Getting Real About Remediation.”
The report analyzed 3 billion vulnerabilities that were managed across more than 500 different organizations. In that data set, the researchers determined that approximately 544 million vulnerabilities were rated as high risk. The good news is that organizations have patched 70 percent of the critical vulnerabilities. The bad news, however, is that still left 163 million vulnerabilities open.
“Enterprises would ideally patch every vulnerability within their infrastructure, but we know the reality is that they don’t have the time or resources to do so,” Ed Bellis, CTO at Kenna Security, told eWEEK. “Due to that reality, security and IT teams need to prioritize their remediation efforts to target the riskiest vulnerabilities for remediation first, then move down the line as time and resources permit.”
Looking at the overall threat landscape, the report noted that only approximately one-third of all published Common Vulnerabilities and Exposures (CVEs) are ever actually seen in live environments. A CVE is an assigned number given to a known vulnerability.
Additionally, the researchers found that of the published CVEs, only approximately 5 percent actually have known exploits against them. Bellis said that the 544 million vulnerabilities identified in the research map to the 5 percent of CVEs that are observed in enterprise environments and have known exploits against them.
When looking at risk, Bellis added that the Kenna Security platform uses multiple factors to calculate risk beyond the existence of an exploit, including asset criticality, volume and velocity of attacks across the globe, type of attack, metadata from the vulnerability descriptions and exposure of the asset, among other risk factors.
Looking at the open high-risk vulnerabilities, the report found that Java- and Acrobat-related flaws were the most unpatched software applications by organizations.
“Generally, a fix is available, but the organization has not deployed it,” Bellis said. “We didn’t dig into the reasons why certain types of vulnerabilities were not remediated in this report, but there are various factors likely at play.”
One factor cited by Bellis is the proliferation of the specific technologies within enterprises, so technologies from vendors such as Oracle, Microsoft and Adobe are in use far more frequently within enterprises, making them a more appealing target. He added that Java can be harder to patch as it is deployed in code and built into older systems and applications, making it difficult to update without impacting the business.
Among the surprising data points in the study according to Bellis was that while Microsoft has a very high total volume of vulnerabilities within its various products, enterprises in the study were far more effective at patching them in aggregate.
“This is likely attributed to factors like how patching Microsoft Office applications typically won’t create much business downtime,” Bellis said. “We also want to point out that running programs like Patch Tuesday likely has a strong positive impact for the businesses that use Microsoft software.”
Patch Tuesday is Microsoft’s regularly scheduled date for providing patching to its users, which typically occurs on the second Tuesday of every month.
Looking forward, Bellis said that for his firm’s next report, the researchers are mapping out the concepts of coverage, efficiency and survival analysis (time-to-fix) to the entire data set.
“Organizations today need to find ways to prioritize vulnerabilities based on their inherent risk to the enterprise,” Bellis said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.