Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Prioritizing Vulnerabilities Is Key to Patching Success, Report Finds

    By
    SEAN MICHAEL KERNER
    -
    January 22, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Kenna Security Cyentia Institute

      There is no shortage of software vulnerabilities, but not all flaws have equal severity and only a subset must be patched immediately. That’s one of the core themes from a report released by Kenna Security and the Cyentia Institute on Jan. 22, titled “Prioritization to Prediction: Getting Real About Remediation.”

      The report analyzed 3 billion vulnerabilities that were managed across more than 500 different organizations. In that data set, the researchers determined that approximately 544 million vulnerabilities were rated as high risk. The good news is that organizations have patched 70 percent of the critical vulnerabilities. The bad news, however, is that still left 163 million vulnerabilities open.

      “Enterprises would ideally patch every vulnerability within their infrastructure, but we know the reality is that they don’t have the time or resources to do so,” Ed Bellis, CTO at Kenna Security, told eWEEK. “Due to that reality, security and IT teams need to prioritize their remediation efforts to target the riskiest vulnerabilities for remediation first, then move down the line as time and resources permit.”

      Looking at the overall threat landscape, the report noted that only approximately one-third of all published Common Vulnerabilities and Exposures (CVEs) are ever actually seen in live environments. A CVE is an assigned number given to a known vulnerability.

      Additionally, the researchers found that of the published CVEs, only approximately 5 percent actually have known exploits against them. Bellis said that the 544 million vulnerabilities identified in the research map to the 5 percent of CVEs that are observed in enterprise environments and have known exploits against them. 

      When looking at risk, Bellis added that the Kenna Security platform uses multiple factors to calculate risk beyond the existence of an exploit, including asset criticality, volume and velocity of attacks across the globe, type of attack, metadata from the vulnerability descriptions and exposure of the asset, among other risk factors.

      Open Vulnerabilities

      Looking at the open high-risk vulnerabilities, the report found that Java- and Acrobat-related flaws were the most unpatched software applications by organizations.

      “Generally, a fix is available, but the organization has not deployed it,” Bellis said. “We didn’t dig into the reasons why certain types of vulnerabilities were not remediated in this report, but there are various factors likely at play.”

      One factor cited by Bellis is the proliferation of the specific technologies within enterprises, so technologies from vendors such as Oracle, Microsoft and Adobe are in use far more frequently within enterprises, making them a more appealing target. He added that Java can be harder to patch as it is deployed in code and built into older systems and applications, making it difficult to update without impacting the business.

      Among the surprising data points in the study according to Bellis was that while Microsoft has a very high total volume of vulnerabilities within its various products, enterprises in the study were far more effective at patching them in aggregate. 

      “This is likely attributed to factors like how patching Microsoft Office applications typically won’t create much business downtime,” Bellis said. “We also want to point out that running programs like Patch Tuesday likely has a strong positive impact for the businesses that use Microsoft software.”

      Patch Tuesday is Microsoft’s regularly scheduled date for providing patching to its users, which typically occurs on the second Tuesday of every month. 

      What’s Next

      Looking forward, Bellis said that for his firm’s next report, the researchers are mapping out the concepts of coverage, efficiency and survival analysis (time-to-fix) to the entire data set.

      “Organizations today need to find ways to prioritize vulnerabilities based on their inherent risk to the enterprise,” Bellis said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×