Most common approaches to prioritising and fixing vulnerabilities are roughly as effective or far less effective than addressing vulnerabilities at random.
This is according to a new study by Kenna Security and the Cyentia Institute.
Researchers compared 15 different remediation strategies against a system of fixing vulnerabilities at random to provide a point of reference that illustrates the effectiveness of each strategy. More than half of the strategies were found to be no more effective than chance.
The report, ‘Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies’, includes new insights into vulnerability lifecycles, the key factors that influence the prevention of vulnerabilities, and the effectiveness of various vulnerability strategies used to prioritise enterprise cyber security efforts.
According to the study, the volume and velocity of vulnerabilities is rapidly increasing. The researchers found that in 2017, businesses had to decide how to address an average of 40 new vulnerabilities every day, including weekends. Last year saw the highest number of year-on-year entries in the database, which more than doubled those entries in 2016. They explained that 2018 is on track to either match or exceed those figures reported last year.
Speed must be a priority, say the report authors. The greatest number of exploits are published in the first months after a vulnerability is released and 50 per cent of exploits are published within two weeks of a new vulnerability. They said this means businesses realistically only have ten working days to find and fix the riskiest vulnerabilities.
Karim Toubba, CEO, Kenna Security, said: “Businesses can no longer afford to react to cyber threats, as the research shows that most common vulnerability remediation strategies are about as effective as rolling dice. But there is hope – a predictive model based on cutting-edge data science is more efficient, requires less effort, and provides better coverage of an enterprises’ attack surface.”
Jon Oltsik, senior principal analyst at the Enterprise Strategy Group (ESG), added that these systems are “moving beyond real-time assessments by forecasting weaponisation and risk well before an attack is possible”. He went on to say this proactive approach can help organisations anticipate attacker behaviour.