Information security professionals are in an arms race against their digital adversaries and in danger of falling further behind. It’s not just the sheer number of vulnerabilities that rise year after year, but also the serious nature of those that do arise, and the increased number of attacks targeting the changing map of technology risks at organizations.
This means that security and operations teams must mitigate vulnerable systems fast, or pay the consequences. However, many organizations struggle to assess and patch their systems fast enough to stay ahead of threats, according to CRA’s July Vulnerability Management Study.
Based on responses from 213 security pros, respondents cited issues ranging from the amount of time to patch and resolve vulnerabilities, high false-positive rates, inefficient prioritization of vulnerabilities, ineffective responses, and the use of multiple vulnerability management tools and vendors instead of a single unified platform. Unfortunately for some organizations, the lack of budget, time, and qualified staff threaten their ability to ever acquire or implement an effective vulnerability management program.
Here are some of the study’s leading takeaways:
- Code vulnerabilities will remain a prevailing concern for several months. Virtually all respondents are concerned about current and future vulnerabilities and threats to their organizations. Nearly half (45%) said they are very or extremely concerned about vulnerabilities in the next 12 months. The time required to patch vulnerabilities is among their top three concerns, according to half of all respondents. A significant share (48%) also cited their concern about the expanding attack surface, while one-third said they are concerned about the high volume of vulnerabilities they are dealing with.
- Fear of ransomware drives vulnerability management strategies. For more than half (55%) of those surveyed, the driving force behind the evolution of their vulnerability management strategies is the fear of ransomware. Accordingly, organizations are taking a more aggressive and proactive stance towards vulnerability management compared with several years ago, implementing more robust vulnerability management programs that include increased scanning, expanded coverage of assets, improved patch management, continuous vulnerability monitoring, and automated solutions.
- Many organizations have targeted vulnerability scanning programs. As part of their vulnerability management programs, 9 out of 10 respondents reported their organization performs internal vulnerability scans; a large majority (70%) also perform external scans. The largest share (52%) of respondents said they perform scans daily or multiple times per day, while another 22% said they perform weekly scans. On average, about one-third (32%) estimated their scanners detect up to 10 vulnerabilities per scan, while 1 in 4 respondents reported 11 to 50 vulnerabilities per scan. Of the vulnerabilities detected, a significant majority (72%) found one or more to be critical — roughly half (54%) estimated up to an average of 10 critical vulnerabilities and another 18% reported more than 10 critical vulnerabilities.
- Companies know they have to add automated scanning capabilities. Respondents are most likely to be equipped with patch management (75%), asset discovery/management (67%), continuous monitoring (66%), and configuration management (63%) capabilities. Only about 1 in 4 (26%) reported they currently have automated remediation — the lowest adoption rate among the list of capabilities. However, nearly half (46%) said they plan to add this to their vulnerability management programs, positioning this capability as potentially the most sought-after enhancement in vulnerability management for the near future.
- Vast majority say budgets for vulnerability management will increase in the year ahead. While some acknowledged they don’t know which is the right tool for them or don’t have the budgets to purchase them, more than two-thirds (69%) of all respondents said their budget or spending on vulnerability management will increase in the next 12 months.
Organizations are doing what they can to better manage their system vulnerabilities — from improving asset discovery to embracing continuous security assessment and automated remediation. Companies have no choice. They must continue to innovate and embrace new technologies the same way the attackers are innovating.
One thing’s for certain: The attackers will keep finding better ways to exploit inevitable vulnerabilities in code.