Big or small, organizations typically remediate 1 of 10 discovered vulnerabilities

Four new reports from Kenna Security and the Cyentia Institute tracking patch and vulnerability management come to the same conclusion: Regardless of industry, regardless of the size of your business, you probably observe 10 times more vulnerabilities on your network than you patch each month.

The Kenna/Cyentia reports go into detail about how four different sectors (tech, manufacturing, healthcare and finance) approach the vulnerabilities on their network – their abilities to prioritize, average vulnerabilities per asset and the length to remediate each vulnerability.

"One of the most surprising things was that remediation capacity is not related to size," said Ed Bellis, chief technology officer of Kenna.

While most seemed to hover around that one in ten mark, a few companies were able to clear as much as one in four.

It's common wisdom among CISOs that a lot of the job comes down to prioritizing the most important things to fix – issues actively being used in attacks, with the highest potential for danger or ones with published exploits.

As recently as two years ago, when Kenna performed a similar study, it found that two-thirds of businesses were not able to keep up with the new high priority vulnerabilities each month – that they'd finish the month with more than they started.

"At the risk of sounding optimistic, that's flipped," he said. "Companies are now paying down that debt."

The Kenna reports describe some of the eccentricities to each industry. In healthcare, for example, there is a high density of discoverable vulnerabilities in machines each month but also a very high clearance rate. That would be indicative of networks reliant on Windows machines, said Bellis.

The tech sector had some of the fastest clearance rates. That's not just because of technological savvy, said Bellis. Tech companies often have the most uniformity of equipment, thousands of identically equipped servers, making patching and remediating much easier.

The opposite was true of the finance sector, which Bellis described as brimming with layers of often custom applications. The result was four times as many vulnerabilities per asset than other sectors, taking around 25 percent longer to remediate.

Manufacturing is known to often have the most delicate machinery to remediate or even test for vulnerabilities. As an apparent result, it takes nearly twice as long to repair vulnerabilities (69 days versus 39) as other industries, and the highest ratio of firms falling behind on the most dangerous vulnerabilities – nearly 40 percent.

The studies were based on telemetry from Kenna's customer base, and Bellis warns that may color the results. A group looking for the most dangerous vulnerabilities to remediate is the group most likely to find and remediate them.

It's sometimes easier said than done to patch all critical vulnerabilities. There is a time and staffing issue, problems with shutting down critical services to perform updates, and concerns about patches disrupting services.

Nevertheless, said Mehul Revankar, vice president of product and engineering at Qualys, "patching is the most important part of vulnerability management."

That is often hindered, he said, by CISOs not having visibility on all the devices on a network. Revankar noted a time he advised a large agricultural firm that hadn't notified the CISO that all the cows were network connected for tracking.

While organizations may have similar ratios of vulnerabilities discovered to vulnerabilities remediated regardless of size, size still matters, said James Carder, chief security officer of LogRythm. Even if the ratios stay the same, having more vulnerabilities total on a network is more dangerous than having fewer.

Carder added that in instances where patching was impossible, other remediation strategies were critical, including isolating systems and segmenting networks. That can protect a network from security flaws intentionally designed into a product and not just those considered vulnerabilities.

"Some devices can have no vulnerabilities, but still be open to RDP connections," he said, as an example.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.