Loading, Please Wait...
SAN FRANCISCO, Jan. 22, 2019 (GLOBE NEWSWIRE) --
Ed Bellis, CTO at Kenna Security
“In our ongoing mission to apply the tenets of data science to cybersecurity, we have begun to benchmark the realities of vulnerability remediation strategies. We’ve found that remediating the riskiest vulnerabilities is within reach for many organizations. Despite recent high-profile data breaches, our findings show that enterprises can and should delay efforts to remediate a majority of vulnerabilities, which often number in the millions. Most vulnerabilities pose little to no danger of being exploited. That means companies can prioritize their resources to tackle the five percent of threats that pose the greatest risk.”
Kenna Security , a leader in predictive cyber risk, today released the second volume of its ongoing analysis into the vulnerability landscape. The report, titled Prioritization to Prediction: Getting Real About Remediation, found that companies today appear to have the resources needed to address all of their high-risk vulnerabilities.
The research demonstrates that companies are getting smarter in how they protect themselves from today’s cyber threats, improving operational efficiency and resource allocation, while best managing risk. The research builds on Kenna Security’s initial Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies report to show that companies are increasingly recognizing that the majority of vulnerabilities are never weaponized or exploited in a cyberattack.
Cybersecurity researchers from Kenna Security and Cyentia Institute analyzed 3 billion vulnerabilities managed across 500+ organizations and 55 sources of external intelligence. They then took a deep dive into the realities of remediation using anonymized data from a sample of 12 enterprises that were selected to cover a range of industries, sizes, and remediation strategies. They found that:
Additional key findings include:
News in Depth
This second volume of the Prioritization to Prediction report builds upon research that Kenna Security and Cyentia Institute conducted in the spring of 2018. That effort analyzed all of the defined vulnerabilities with CVE numbers in the MITRE database to provide a top-down look at the state of the global vulnerability landscape and quantify the theoretical effectiveness of remediation strategies.
That original report found that an extremely small subset of known vulnerabilities is ever exploited in the wild. Companies, however, did not have reliable methods to predict which vulnerabilities, when announced, were at high risk of exploitation. It made the case that most remediation strategies were about as effective as random chance. It also showed how risk-based remediation strategies driven by machine learning could make accurate predictions and increase the efficiency of security operations by reducing the amount of time spent patching low-risk vulnerabilities.
The data analyzed in this most recent report was pulled from the Kenna Security Platform, a cloud-based vulnerability management system used by some of the world’s largest enterprises. The platform integrates data from every vulnerability scanner on the market. Prioritization to Prediction: Getting Real About Remediation moves beyond theoretical remediation effectiveness to reveal the actual results of vulnerability remediation strategies within real-world enterprise environments. Kenna Security and Cyentia Institute looked to answer three main questions:
The answers to these and other questions provide a never-before-seen look at the vulnerability remediation practices, timelines, and outcomes in the modern enterprise. These insights can be applied to business remediation strategies to help organizations understand how to begin prioritizing the 15.6 percent of vulnerabilities that will ultimately reduce the greatest amount of risk for their organization.
Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute
“Kenna’s data demonstrates a much brighter picture for enterprise security. Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organizations effectively manage cyber risk and improve security.”
The Cyentia Institute is a Virginia-based research services firm that exists to advance cybersecurity knowledge and practice through use-inspired, data-driven research. Cyentia curates and publishes research for the community, partners with other organizations to create compelling publications and helps enterprises turn complex security data into confident strategic decisions.
About Kenna Security
Kenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.
|Media & Analyst Contact:|
|Gregory FCA for Kenna Security|