New research shows effective and efficient vulnerability management hinges on a key ingredient: exploit intel.
The data arrives just in time.
An expanding threat landscape
In 2021, a record-breaking 20,130 Common Vulnerabilities and Exposures (CVEs) were published in the National Vulnerability Database. CVEs are exploding just as attackers are growing more sophisticated, exploiting not just weaknesses in infrastructures but also human fallibility.
Trying to hold back the surge can be difficult. Research from Kenna Security, now part of Cisco, and the Cyentia Institute sheds light on the limited capacity organizations have to tackle new vulnerabilities introduced each month:
- Top-performing security teams can address 27%
- Average organizations can fix nearly 16%
- The bottom quartile? Under 7%
But for resource-strapped Security teams, the data shows most enterprises need only remediate about 4% of the millions of vulnerabilities present in their environment, thanks in large part to exploit intel.
Focusing on the 4%
Real-world data drawn from Kenna customers and external sources highlights just 4% of vulnerabilities present in any environment are exploited in the wild. In other words, only 4% of vulns in any given environment pose a real risk.
It’s in the research
Since 2018, Kenna and Cyentia have examined the performance of cybersecurity organizations and published results twice a year in the Prioritization to Prediction (P2P) research series. The latest, P2P Volume 8, reveals how organizations reduce their exploitability when informed by real-world threat and vulnerability intel.
P2P Volume 8 outlines how organizations can measure exploitability in their specific environment. And it demonstrates risk-based prioritization performs best when it factors in the presence of exploit code—evidence attackers have designed a way to exploit a vulnerability.
RBVM + Exploit Intel = Lower Risk
According to the research, organizations that employ risk-based vulnerability management (RBVM) strategy—informed by exploit intel—do a better job defending their infrastructure than organizations using other methods, namely Common Vulnerability Scoring System (CVSS) scores.
To see how each method stacked up, the graph below compares exploitability scores resulting from different prioritization strategies. Yellow dots mark the median exploitability scores across all organizations using that method.
The key findings are illuminating:
- Prioritization strategies that factor in exploit code combined with high remediation capacity can reduce exploitability up to 29 times.
- Incorporating exploit code into risk-based prioritization is 11 times more effective at minimizing an organization’s exploitability than CVSS scores.
- Monitoring exploit mentions on Twitter is twice as effective as employing CVSS-based scoring.
- Patching CVEs at random practically ties with CVSS for effectiveness, with no remediation activity (literally doing nothing) trailing closely behind.
It’s noteworthy that despite its shortcomings, CVSS is commonly used to score CVEs, and many scanner solutions simply repackage CVSS.
Risk-based prioritization reduces exploitability
Analysts and even government organizations recognize the effectiveness of risk-based prioritization to reduce exploitability, mirroring P2P findings over the past four years. In 2019, just 20% of Security organizations closed more high-risk vulns each month than were identified in their environment. Fast forward to today, and the number has jumped 3X to 60%, with another 17% keeping pace with the appearance of new high-risk vulns.
So more than three-quarters of organizations employing intel-driven RBVM are at least able to keep pace with new threats, and six out of every ten are gaining ground against them.
These findings suggest Kenna Security customers are evolving their RBVM strategies over time and incorporating exploit data in the mix makes them less vulnerable. The research found that implementing an intel-driven RBVM strategy is the most effective way to drive down exploitability, even more than adding remediation capacity.
Drive down risk
Ongoing P2P research proves that a risk-based methodology, with prioritization informed by exploit intel, points to the likelihood that a CVE is weaponized. This strategy is also the most direct route to creating a less exploitable enterprise. With an advanced RBVM solution, the remediation list or fix list writes itself, saving IT and AppDev teams from chasing down vulnerabilities that aren’t a risk, lowering their overall risk profile.
Virtually every CISO is likely to report patching 4% of CVEs is more than possible with the resources they have. But the secret is identifying the 4%—and having the right exploit intel and RBVM platform to make it possible.
Harness exploit intel to minimize risk
For more on the research-backed ways to lower risk, download your copy of the Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels