What's with the Vulnerability Management Madness?The end of year holidays are often a time for reflection. And with Black Friday only a little more than a month away, I thought it would be as good a time as any to stop and ask the question, “Are we winning or losing the vulnerability battle?” Over the past 20 some odd years, tens of thousands of organizations have collectively spent hundreds of millions of dollars trying to eradicate dangerous vulnerabilities from their software and systems. “Find, fix, automate and repeat” has been the battle cry of many IT security pros as they march into combat hoping to come out unscathed or at least victorious over their vulnerability nemeses. However, despite widespread deployment of vulnerability management technologies, few seem to be able to decisively put a “✓” in the win column. Some folks might say that we are effectively treading water, not gaining ground, but not losing any either. However, this argument mostly refers to new versus patched vulnerabilities, and doesn’t really consider how we are faring against those vulnerabilities that are being exploited in the wild. To answer the question, let’s look at a few data points that will help us determine whether or not the good guys are keeping pace. After which, we’ll consider a few industry-wide realities that continue to plague existing vulnerability management programs.
It's time to get your vulnerability management under control. Download our white paper, 10 Reasons to Rethink Your Vulnerability Management, and discover how you can stay steps ahead of the bad guys. Or request a free trial today.Breaches Continue to Rise The following chart shows the number of reported data breaches from several well-known sources. And while the numbers may vary between sources, we can see from the data that the number of breaches continues to rise. And while not every data breach results from an exploited vulnerability, it’s a safe bet that those are growing right alongside all the other breach types. The Gap is Widening Another metric to consider is how long it’s taking us to remediate vulnerabilities. While the numbers vary (HPE = 60 days, Kenna = 110 days, and Nopsec = 176 days), let’s assume that aggressively it takes an organization 30 days to close a known critical vulnerability. That’s reasonable right? And it’s what most compliance initiatives require. Well, unfortunately for us, attackers have been getting faster at weaponizing exploits. IBM X-Force recently found that over the past ten years, the time it takes from when a vulnerability is publicly announced to when it’s first exploited has plunged from 45 to 15 days. That means, in the best case scenario many of us are sitting in the cross hairs of exploitable vulnerabilities for at least a few weeks. Oldies but Goodies Lastly, let’s look at how effective we’ve been at closing the security weaknesses we collectively know about. Last year, Verizon reported that 99.9% of exploited vulnerabilities had a CVE for more than one year – that hasn’t changed – and completely flips our best case scenario on its head. In addition, the Verizon 2016 DBIR points to the fact that although millions of vulnerabilities exist, there are only about 900 that are actively being exploited in the wild. And while that could be construed as good news, the fact that almost one third of these are more than a decade old isn’t something to celebrate, but rather something to continue debating within security circles. It’s a Big Ocean Out There Everything from malware to Shadow IT can derail even the best laid vulnerability management plans. Here are a few realities that illustrate why many businesses continue to struggle with stamping out known weaknesses. The sheer number of vulnerabilities makes it extremely challenging for most organizations to be able to determine which ones they should focus on fixing. And while only a small percentage of the millions of vulnerabilities ever actually get exploited, the number of new vulnerabilities continues to pile up year after year.