SAN JOSE, CA., January 19, 2022 /PRNewswire/ —
Summary of news:
- A record 20,130 software vulnerabilities were reported in 2021, an average of 55 per day. However, only 4% of them pose a high risk to organizations.
- An organization can dramatically reduce its chance of a breach, or “exploitability score,” up to 29 times by patching high-risk vulnerabilities first with public exploit code and having high remediation capability.
- Using Twitter mentions to prioritize software patches is twice as effective at reducing exploitation as the industry standard Common Vulnerability Scoring System (CVSS).
New research has quantified the success of various vulnerability and exploitability management strategies for entire organizations, expanding the risk-based playbook for cybersecurity practices.
With an average of 55 new software vulnerabilities released every day in 2021, even the most well-staffed and resourced IT teams cannot patch all vulnerabilities in their infrastructure. Fortunately, there is a better solution.
Research conducted by Kenna Security, which is now part of Cisco and is a market leader in risk-based vulnerability management, and the Cyentia Institute, shows that properly prioritizing vulnerabilities for patching is more effective than increasing an organization’s ability to patch them, but having both can reduce an organization’s measured exploitability by 29 times.
The results are explained in Kenna’s latest report, Focus on Prediction, Volume 8: Measuring and Minimizing Exploitability.
“Exploits in the wild used to be the best metric for vulnerability security teams to prioritize. Now we can show the likelihood of a particular organization being exploited, which is something we’ve always wanted to do,” said declared Ed Bellis, co-founder and chief technology officer of Kenna Security, now part of Cisco. “This gives organizations a much better chance of effectively combating potential cyber threats and research shows that our customers are successfully managing their vulnerability risk every day.”
Exploitability was determined using the Open Predictive Exploitation Scoring System (EPSS); a cross-industry effort including Kenna Security and the Cyentia Institute which is managed by FIRST.org.
Research confirms a recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) this suggests that it’s wiser to move away from prioritizing patching vulnerabilities based on CVSS scores and instead focus on high-risk vulnerabilities. Analysis shows that factors like exploit code and even Twitter mentions are better signals than CVSS scores.
“It is clear that a shift to exploitability is going to make a huge difference based on the data and findings of this report. An analysis of vulnerabilities published by CISA suggests that they may also be moving away from CVSS scores as we were conducting this research,” mentioned Wade Baker, partner and co-founder of Cyentia Institute. “We went further to factor in remediation speed into our calculations, which should better inform security teams.”
Research also suggests that:
- Almost all (95%) IT assets have at least one highly exploitable vulnerability.
- Prioritizing vulnerabilities with exploit code is 11x more effective than CVSS at minimizing exploitability.
- Most (87%) organizations have open vulnerabilities in at least a quarter of their active assets, and 41% have vulnerabilities in three out of four assets.
- A strong majority of 62% of vulnerabilities have less than 1% chance of being exploited. Only 5% of CVEs exceed 10% probability.
Cisco (NASDAQ: CSCO) is the global leader in the technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Find out more on The Network and follow us on Twitter.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the United States and other countries. A list of Cisco trademarks is available at www.cisco.com/go/trademarks. Third-party brands mentioned are the property of their respective owners. Use of the word partner does not imply a partnership relationship between Cisco and any other company.
SOURCECisco Systems, Inc.