New research sheds light on how IT teams should patch vulnerabilities

22 Jan 2019

Image: © andriano_cz/

A new report from Kenna Security shows the reality of cybersecurity vulnerability remediation efforts.

Cybersecurity threats can often seem overwhelming, with large volumes of vulnerabilities being disclosed on a regular basis. From processor flaws to software bugs, keeping track of what is most important to deal with is an intimidating task.

New research from Kenna Security and Virginia-based cyber research firm Cyentia Institute shows that, in fact, most vulnerabilities pose little to no danger of being exploited. The two organisations analysed 3bn vulnerabilities managed across more than 500 organisations and 55 external intelligence resources.

The second volume of the Prioritization to Prediction report found that infosec teams are becoming more intelligent when it comes to protecting themselves from today’s major cybersecurity threats, while managing resources and improving efficiency.

The research also found that companies are increasingly recognising that the majority of vulnerabilities are never weaponised or exploited in a cyberattack.

A change in strategy needed from infosec pros

Ed Bellis, CTO at Kenna Security, said: “In our ongoing mission to apply the tenets of data science to cybersecurity, we have begun to benchmark the realities of vulnerability remediation strategies.

“We’ve found that remediating the riskiest vulnerabilities is within reach for many organisations. Despite recent high-profile data breaches, our findings show that enterprises can and should delay efforts to remediate a majority of vulnerabilities, which often number in the millions.”

According to the research, only 5pc of all published CVEs (common vulnerabilities and exposures) have known exploits against them and 42.3pc of vulnerabilities are remediated within 30 days of discovery. Half of all vulnerabilities are not patched within 90 days.

Organisations have closed 70pc of the critical vulnerabilities on their systems, but they still aren’t as efficient as they could be. Out of the 544m high-risk vulnerabilities, organisations remediated 381m, leaving 163m open.

Research data shows that infosec teams remediated a total of more than 2bn vulnerabilities, indicating that enterprises have the resources to address the vulnerabilities that pose the greatest risk. This can be accomplished by implementing remediation strategies that prioritise resources to tackle all of the 544m high-risk vulnerabilities first, only moving on to the 2.9bn lower-risk vulnerabilities afterwards.

Of the 10 largest software vendors, three were responsible for 70pc of open vulnerabilities, with Oracle responsible for a third of those. Java and Acrobat top the list of unpatched products.

Data-driven security

A quarter of open vulnerabilities found on enterprise systems had already been identified and entered into the US National Vulnerability Database prior to 2015. The report noted that risk-based remediation strategies driven by machine learning could allow for accurate predictions, increasing efficiency by reducing the amount of time IT teams spend patching low-risk bugs.

Jay Jacobs, data scientist, co-founder and partner at Cyentia Institute, said: “Kenna’s data demonstrates a much brighter picture for enterprise security. Despite the seemingly countless number of vulnerabilities that every company faces, data-driven security can help organisations effectively manage cyber risk and improve security.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects