Loading, Please Wait...
SAN FRANCISCO, March 12, 2019 (GLOBE NEWSWIRE) --
Ed Bellis, CTO at Kenna Security
“This research shows that the playbook for patching vulnerabilities varies widely by industry and the complexity of an organization. The quickest industries, on average, patch vulnerabilities four to five times faster than the slowest. However, the velocity at which they remediate vulnerabilities doesn’t always correlate directly to their security posture. This report offers a rare view into the ways organizations and their industry peers address security, enabling them to benchmark their own practices.”
Kenna Security , a leader in predictive cyber risk, today released Prioritization to Prediction, Volume 3: Winning the Remediation Race, showing that bigger companies aren’t necessarily better at patching security holes.
In its research, Kenna found that companies, on average, have the ability to close about one out of every ten vulnerabilities. This remarkably strong correlation stays constant as firms grow, demonstrating that, on average, cybersecurity teams cannot increase their rate of remediation with the available tools.
This finding is most clear for large organizations in which, on average, it takes 254 days to remediate 75 percent of high-risk vulnerabilities, while small organizations typically accomplish this in 59 fewer days. However, top-performing companies are remediating one in four vulnerabilities, outperforming the mean and patching 2.5 times more vulnerabilities than the average organization.
The most recent report also found that:
News in Depth
Produced in conjunction with the Cyentia Institute, the third volume of Kenna’s Prioritization to Prediction series explores and analyzes the vulnerability management landscape. It uses data from the Kenna Security Platform to conduct a granular, in-depth analysis of the behavior and safety of more than 300 organizations.
The research builds on two previous Prioritization to Prediction reports. The first, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies, showed that the most common vulnerability remediation strategies used by large enterprises were about as effective as random chance. That’s because just 2 percent of vulnerabilities are ever deployed in an attack. That report further made the case that predicting the likelihood that a vulnerability would be exploited was an effective method of prioritization.
For the second report, Prioritization to Prediction: Getting Real About Remediation, researchers from Kenna Security and Cyentia Institute analyzed 3 billion vulnerabilities managed across 12 organizations and 55 sources of external intelligence. The research provided an unprecedented look at the size and scope of cybersecurity challenges at major companies. The results showed the companies had remediated more than 2 billion vulnerabilities on their systems, 544 million of which were deemed “high-risk.” Those results indicated that companies had the resources to drastically improve security, provided they had a method to identify high-risk vulnerabilities.
Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute
“For this report, we analyzed real-world vulnerability management strategies from hundreds of organizations. We found that it is possible to get ahead of new high-risk vulnerabilities over time. Of course, that outcome depends on whether organizations have the information to prioritize those vulnerabilities for remediation.”
Scott Crawford, Research Director, Information Security, 451 Research
“Data science and machine learning are already making significant contributions to the cybersecurity industry. CISOs and operations teams alike have an unprecedented opportunity to derive intelligence from these techniques to refine and evolve remediation strategies and improve their organizations’ risk profiles. The Prioritization to Prediction series capitalizes on these advances, giving practitioners a more detailed and objective view of vulnerability management strategies.”
The Cyentia Institute is a Virginia-based research services firm that exists to advance cybersecurity knowledge and practice through use-inspired, data-driven research. Cyentia curates and publishes research for the community, partners with other organizations to create compelling publications and helps enterprises turn complex security data into confident strategic decisions.
About Kenna Security
Kenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.
|Media & Analyst Contact:|
|Gregory FCA for Kenna Security|