State of Vulnerability Management: 6 Key Takeaways
- Aug 02, 2022
- Lisa Xu
Have you ever wondered what security professionals want most from their Vulnerability Management (VM) program? We have. In fact, we were so curious we conducted a survey to that effect. I think you’ll find the results of our survey informative and fascinating.
To better understand organizational vulnerability management, we surveyed 426 security professionals to illuminate and quantify their day-to-day challenges, frustrations, and priorities. We learned that some organizations have effective ways to react and remediate when they detect vulnerabilities, while others have more blind spots than they think.
One critical idea that threads its way throughout the survey’s results is the desire to prioritize risk around exploitability and criticality. It is evident that organizations need a way to understand and leverage the probability that threat actors will exploit a vulnerability in their environment. They also need a risk-based structure around the overwhelming volume of low-fidelity data produced by scanning technologies. Finally, they want help to improve their time to decision and resolution as well as guide their remediation efforts.
You can download the full “State of Vulnerability Management Report” here, or read on to learn about six valuable discoveries unveiled by our survey. Our findings can provide helpful evaluation criteria for security leaders who are building a vulnerability management program or assessing their VMP tool stack.
When asked to provide their impression of the overall effectiveness of their current vulnerability management program, 34% responded that it was not very effective. Slightly more, 35.9%, said their program was at least somewhat effective. Ultimately, less than a third (30.1%) of respondents see their VMP as being effective.
Security teams are working with one hand tied behind their back if they don’t have a comprehensive and continuous process for identifying, classifying, remediating, and mitigating vulnerabilities. Ultimately, they will inevitably struggle to address today’s modern cybersecurity challenges without an effective VM program due to the speed and scale of today’s digital transformation.
According to our survey, the top challenge for security teams is blind spots in their attack surface that limit visibility into total risk exposure. If you don’t know what’s in your environment, you can’t protect it.
With today’s global digital business transformation, complete visibility of IT assets is essential for cyber risk management. Teams need visibility into the business impact of their IT assets. True asset discovery is a primary function of a VM program. Backed with an asset discovery tool or your CMDB, your Vulnerability Management program should help prevent any potential blind spots of unmanaged risk and cyber exposures.
We asked our respondents if they engage with third-party vendors to provide threat intelligence data, such as penetration tests, vulnerability disclosures, proprietary data on the dark web, and IP or domain reputation scores. A surprising 52.8% said they do not look to outside sources for information about threats.
Without reliable and organizationally-relevant threat intelligence to guide prioritization, a team is left with only the common vulnerability scoring system (CVSS) to evaluate the threat level of a vulnerability. Modern security practices dictate that teams go beyond standard scanner and CVSS scores to identify and rank the criticality of their exposure.
Many teams’ practices, policies, and capabilities leave vulnerabilities unpatched for far too long. Surprisingly, only 18% of security professionals said their policies dictate that they remediate vulnerabilities within 24 hours. An astounding 62% said they take 48 hours or longer, and some let up to two weeks pass before they get around to patching vulnerabilities known to be critical.
Every hour that passes after a vulnerability has been identified increases an organization’s risk. As such, many teams today are desperate for a way to automate the remediation process. They want workflow automation, exception management, SLA enforcement, and process orchestration with downstream systems.
Security practitioners widely accept that numerous commonplace and well-understood vulnerabilities continue to increase, and their continued presence presents a severe risk to organizations in every industry. Our survey confirmed these assertions, finding that 58% of companies that track the volume of vulnerabilities have seen them double, triple, or quadruple over the past 12 months.
It doesn’t take much imagination to see that tripling or quadrupling the volume of exposures a security team must remediate will stretch them to the breaking point. All but the smallest organizations have concluded that their only hope is to use risk-based prioritization to address the most critical vulnerabilities and then deploy their remaining resources to shore up their infrastructure against lower-risk threats.
More than any other characterization, companies say they are seeing an increase in the sophistication of attacks. Gone are the days when cybercriminals relied heavily on phishing to slip into a target’s infrastructure to achieve their objectives. Increasingly, threat actors have learned they don’t need to rely on users to click on a hazardous link to gain entrance. Instead, they snoop around for vulnerabilities to access a data repository or other valuable assets they can exploit.
Modern organizations must deploy effective countermeasures to avoid becoming victims of sophisticated cybercriminals. In order to do this, security leaders must create robust vulnerability management programs, and this requires a deliberate approach with advanced tools to minimize risk.
Our survey shows the state of vulnerability management is lacking in several significant areas. Besides an overarching need to prioritize remediation based on actual risk to their organization, respondents also report struggling to identify and eliminate shadow IT.
Even though vulnerabilities are on the rise and the sophistication of attacks is increasing, most organizations still don’t risk-rate exposures, rely on outside threat intelligence, or dictate how quickly teams must patch vulnerabilities. These omissions are not sustainable for modern organizations facing an increasingly severe threat landscape.
To gain even more meaningful insights into the state of vulnerability management, download the entire report. What you will learn can save you time, money, and frustration.