Rushing to patch newly-disclosed vulnerabilities may be not the worth the exertion of effort, according to a report from Kenna Security and the Cyentia Institute published Tuesday. The report indicates that only “about one-third of published CVEs are actually observed in live enterprise environments,” with only 5% observed and known to be actively exploited by malicious actors.
Rather than focusing on applying new patches, the report suggests organizations tackle security from the vantage point of prioritization. With over 110,000 CVEs published-and roughly 300 new CVEs published per week in 2018-staying current with vulnerabilities as they are uncovered is likely to become overwhelming. Likewise, doing so can overextend IT security professionals. Making patching into a numbers game easily leads to a higher number of low-risk vulnerabilities being patched, diverting attention from high-risk vulnerabilities which require more effort to patch.
SEE: System update policy (Tech Pro Research)
Visualizing the issue elucidates the challenge IT security professionals face. A previous report from Kenna Security claims that a vulnerability is seven times more likely to be exploited in the wild when public exploit code exists. With roughly one-third of published CVEs observed in live environments, this leaves approximately 5,000 CVEs both observed and actively exploited-and these are where priority should be placed.
Know your vendors, know your vulnerabilities
Knowing where vulnerabilities originate is key to strategizing your approach in handling them. According to the report, Oracle, Microsoft, and Adobe are are responsible for seven in 10 vulnerabilities, though given the reach of those three vendors in the enterprise, this should not be surprising.
Of open vulnerabilities, 18.4% are related to Java, with Adobe Acrobat (7.5%) in second, and Windows 10 (3.2%) in third. Microsoft products (Windows, Internet Explorer) round out the fourth through ninth positions, with Flash Player in tenth, at 2.3%.
Due to the extensive security issues present in Java, organizations have taken to simply banning the runtime from workstations, undercutting the need-and eliminating the time spent-for security updates. Likewise, organizations relying exclusively on Google Chrome to provide Adobe Flash eliminates the patching time required, as Chrome’s NaCl implementation of Flash is baked into browser updates.
How to prioritize
The report provides the following three tips for improving your patching strategy:
- Improve an overly-simple or overly-complex decision making tree for vulnerability remediation.
- Measure your results, using self-analysis questions like “Could we measure this, why or why not, and what would it show if we did?”
- Record your response to the next priority vulnerability, to see how effective your strategy is: “Start the clock from the date of discovery, tally the number of systems affected, and track how that changes over time through scanning, pen tests, etc.,” according to the report. “If you can, try this with a few different sources/types of vulnerabilities to see if the curve varies.”
The big takeaways for tech leaders:
- Roughly 300 new CVEs published per week in 2018, while the total number of CVEs is over 110,000. – Kenna Security, 2019
- Oracle, Microsoft, and Adobe are are responsible for seven in 10 vulnerabilities. – Kenna Security, 2019