Patch/Configuration Management, Vulnerability Management

How security teams can prevent a 47-day patching handicap

While Apple gets headlines for discovering zero-days, today’s columnist, Ed Bellis of Kenna Security, says true zero-days are rare. Bellis says the vast majority of vulnerabilities are patched before CVE publication. However, in the rare case when exploits predate the availability of a patch, attackers get a 47-day head start – and that’s something...

Common sense tells us that when code used to exploit vulnerabilities becomes publicly-available, somebody will use it for an attack.

New research from Kenna Security and the Cyentia Institute tells us the exact impact the public release of such code has on corporate security and attacker momentum – especially in the relatively rare instances where the release of an exploit code predates a patch. When this happens, attackers get a 47-day head start against the security teams defending against them.

Our research mapped the lifecycles of 473 vulnerabilities with evidence of exploits in the wild in 2019. And it raises some interesting points about how software vendors and security teams can work together.

It’s worthy to note that there’s no typical sequence in when a vulnerability gets discovered, a CVE created, a patch issued, or an exploit developed. While zero-days captivate a lot of attention, true zero-days are very rare. Only about 7 percent of vulnerabilities are exploited before a CVE gets published, patches are available, and exploit code released.

It’s not all bad news. We’re not dealing with the wild west. More than 80 percent of exploited vulnerabilities have a patch available prior to, or within a few days of CVE publication. About one-third of vulnerabilities have exploit code published before a patch becomes available.

Just because a patch becomes available doesn’t mean an organization has the time or resources to implement it. Conversely, there’s also a learning curve to using exploits. The question becomes: What factors give defenders momentum?

When patches are made available before exploit code goes public, organizations get a significant period of time in which they can patch more assets than attackers can target. But when an exploit predates the availability of a patch, attackers get a 47-day head start, and it usually takes defending organizations more time to patch than normal.

All of this data adds up to a fairly simple conclusion. There’s a system of coordinated disclosure in which security researchers give software vendors a chance to issue a patch before going public with their findings. That system largely works. If anything, vendors would like it if researchers gave them a little more time.

While that conclusion might seem obvious, it does fly in the face of some conventional wisdom. After all, intrusion detection vendors can’t always write detection signatures without exploit code. And if an intrusion detection system (IDS) can’t detect an exploit attempt the security team might not know if it’s being exploited.

In a perfect world, security researchers who find vulnerabilities would give software vendors plenty of time to fix security holes they find. On the other side of the coin, software vendors would act expediently when security researchers find vulnerabilities.

Unfortunately, we don’t live in a perfect world. Sometimes, software vendors don’t respond to security threats. And security researchers disclose their findings before vendors have had a chance to issue the fix.

That dynamic, and these rare exceptions, has led to years of recriminations between researchers and vendors. We don’t have to live with these recriminations. We consider our research novel. We’ve found nothing that pairs vulnerability lifecycle and vulnerability management data at this scale. It offers a unique path to get past the age-old fights over the role of security researchers and their relationship with vendors. Simply put, it’s a huge dose of data that offers a road map for better outcomes.

Ed Bellis, co-founder and CTO, Kenna Security

Ed Bellis

Ed Bellis, Co-founder and CTO of Kenna Security Ed Bellis is a security industry veteran and expert and known in security circles as “the father of risk-based vulnerability management.” He founded Kenna Security to deliver a data-driven risk-based approach to remediation and help IT teams prioritize and thwart would-be security threats. Ed is the former CISO of Orbitz and former Vice President, Corporate Information Security at Bank of America. He is an advisor to Dharma and former advisor to and Society of Payment Security Professionals. Ed is a contributing author to the book, Beautiful Security (Oram, Andy & Viega, John, O’Reilly Media, 2009). He is a frequent speaker at industry conferences. Recent engagements include the 2017 Enterprise Security Summit (Dos and Don’ts of Establishing Metrics that Cultivate Real Security) and InfoSec World (Amateur Hour: Why APT’s Are the Least of Your Worries).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.