The State of Vulnerability Management (and What Comes Next)
Unpatched Vulnerabilities • Dec 2, 2022
We use cookies to improve your experience. Do you accept?
Unpatched Vulnerabilities • Dec 2, 2022
Maintaining effective vulnerability management is like eating broccoli. Everybody knows it’s good for you… and yet, nobody wants to do it.
The reasons why differ, of course. Vulnerability management is overwhelming as maintenance is unending. It’s easy to be distracted by more exciting areas of security—fancy tools that protect against APTs and zero-day threats, for example. However, vulnerability management is a crucial element of cyber hygiene that underpins every other area of cybersecurity. In Practical Vulnerability Management (2020), Andrew Magnusson gives a simple example of the importance of effective vulnerability management. He describes a situation where a mid-sized organization has a comprehensive set of security controls in place, including:
Firewalls to block unwanted incoming traffic
Egress filtering to block unauthorized exit traffic
Antivirus on all endpoints
Hardened servers
…but there’s a problem. An old Linux webserver—a relic of a forgotten business initiative—is running an outdated version of Tomcat that’s vulnerable to a five-year-old Java exploit. Using it, an attacker sidesteps all the organization’s fancy controls and gains a foothold inside the network.
This is why fundamental cyber hygiene factors like vulnerability management are so important. A network is only as strong as its weakest link—and often, that weak link is an unpatched vulnerability.
There is disagreement over what proportion of breaches are caused or exacerbated by known, unpatched vulnerabilities. One study claims the answer is 42%, while another proposes 34%, suggesting the true figure could be much higher.
While there’s no agreement on the topic, it’s safe to say the answer is “a lot” and “this is a big deal.”
Note that often, breaches aren’t caused by a single factor. What ultimately presents as ransomware or mass data theft often starts as something less dramatic—a phishing email, basic web application attack, credential stuffing… or exploiting an unpatched vulnerability.
Once an attacker obtains a foothold within a network, they often ‘dwell’ there, slowly expanding privileges and moving laterally through the network to avoid raising suspicion until they can achieve their objective. This is what makes vulnerable systems dangerous. Something as basic as a forgotten, unpatched server can provide the ‘toehold’ an attacker needs to launch a major attack.
Despite the valiant efforts of vulnerability management teams, most organizations are falling further behind. The average organization has tens of thousands of open vulnerabilities—and that number grows each year.
While vulnerability scanners and patch management tools are vital, they don’t offer the broader capabilities and centralized intelligence needed to meaningfully reduce vulnerability risk.
So how should security teams proceed? To answer this question, we’ve released a new white paper:
Download the white paper today to learn how your organization can orchestrate a comprehensive vulnerability identification, prioritization, and remediation program based on a specific risk profile—while dramatically reducing the manual burden on your vulnerability management team.
Read the white paper to learn:
The four essential requirements for risk-based vulnerability management, and how they combine to drastically improve security outcomes.
How to unify security and IT operations tools, allowing teams to identify, prioritize, and remediate vulnerabilities more effectively.
How Cyber Fusion can help teams accurately prioritize vulnerabilities, eliminate false positives, decrease manual burden, and reduce vulnerability risk.