Research from Tenable shows enterprises are overwhelmed by security vulnerabilities

7 Nov 2018

Image: © Franny-Anne/

Research from cybersecurity firm Tenable shows the volume of new security vulnerabilities continues to balloon.

The world of cybersecurity for enterprises is full of challenges and, as new threats continue to grow and mutate, this looks unlikely to change.

A new report from Tenable shows that enterprises need to deal with more than 100 critical vulnerabilities on a daily basis, which can seem overwhelming to even the most up-to-date cybersecurity teams.

Vulnerabilities keep on growing

According to the report, in 2017 alone, 41 new vulnerabilities were published daily on average, with a total of 15,308 for the year. Additionally, the growth in new vulnerability disclosures for the first half of 2018 showed a 27pc increase on the same period last year.

High-profile issues have also become a regular feature of mainstream headlines, from the notorious Equifax data breach to WannaCry.

Tenable researchers anonymised data from 900,000 vulnerability assessments across 2,100 enterprises and said that it expects up to 19,000 new vulnerabilities to be disclosed by the end of this year.

High-profile security issues from March until August 2018 included a new Apache Struts vulnerability, Underminer cryptomining malware, Faxsploit remote code execution device, variants of Spectre/Meltdown and Slingshot malware.

When it comes to web browsers, Firefox dominates the list of most prevalent common vulnerabilities and exposures (CVEs), accounting for 53pc of all high-severity vulnerabilities in this category, with the vast majority of them being two to eight years old. Many Internet Explorer vulnerabilities found date back to the last decade in some cases.

The top eight web browser CVEs affected more than 20pc of enterprises on a single assessment day, a significant number of high-severity web browser issues in business asset populations.

Tenable says threat management is a major obstacle

According to Tenable, 61pc of all vulnerabilities that enterprises detect in their environments are rated as ‘high-severity’, which means organisations are challenged to determine which of these represents a true risk deserving of limited remediation resources. On average, an enterprise finds 870 CVEs across 960 assets on a daily basis, leaving them with more than 548 vulnerabilities per day to assess and prioritise.

Many practitioners told Tenable that the vulnerabilities that made big news often forced teams to adjust their vulnerability management programmes. One participant said: “They [executives] hear something on the news and they go, ‘Now I’m going to get questions off these when I go in and I don’t want to look like an idiot because cyber is reporting to me. So, I have to look like I’m on top of things.’

“And, oftentimes for them, they don’t care really what the security issue is; it’s very much about how it impacts them directly.”

Which issues pose the largest risk?

Tom Parsons, senior director of product management at Tenable, said the key to reducing cyber risk is prioritising problems effectively. “To keep up with the current volume and velocity of new vulnerabilities, organisations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game.

“This means organisations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used.”

“The research found that public exploits were only available for 7pc of all vulnerabilities in 2017, meaning 93pc of issues posed only a theoretical risk – this can make it difficult to understand which issues need remediation at all.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects