Vulnerability management strategies based on responding to published - and patched - CVE vulnerabilities are fatally flawed, according to a new in-depth report.
An extensive survey designed to test the effectiveness of industry standard responses to vulnerability management found that simply patching new disclosures in a cycle is roughly as effective as or even less effective than addressing vulnerabilities at random.
The researchers compared 15 different remediation strategies against a strategy of fixing vulnerabilities at random - more than half of the strategies were no more effective than simply relying on chance.
Ed Bellis, CTO Kenna Security told SC Media UK that: “While thousands of new vulnerabilities are published annually, the Prioritisation to Prediction research report indicates that only two percent of vulnerabilities are actively exploited by hackers. The problem for CISOs is they typically have no idea which vulnerabilities will be exploited in advance of exploitation. This makes it nearly impossible to take a proactive approach for remediation and get ahead of the attackers.
“CISOs could deploy their resources much more effectively if they considered predictive models for vulnerability prioritisation. The research suggests that machine-learning-based technologies aimed at vulnerability risk prediction are two to eight times more effective than 15 other models assessed by the researchers.”
The report found that the volume of vulnerability discovery is increasing fast, with an average of 40 new vulnerabilities every single day (including weekends) being logged in 2017, and 2018 being on trend to match or beat that figure. Adding to the pressure on internal security teams, the greatest number of exploits are published in the first months after a vulnerability is released and 50 percent of exploits publish within two weeks of a new vulnerability. This common-sense surge effect means that enterprises have on average 10 working days to identify and fix the vulnerabilities that pose them the greatest risk.
Bellis continued to make the case that the current CVE severity classification model was not sufficient to indicate risk of exploitation, and said there was a case for a new ‘highly likely to be exploited' categorisation of vulnerability: “Absolutely - The Kenna Platform classifies vulnerabilities as highly likely to be exploited based on a predictive model that parses the same data we provided to the Cyentia Institute for analysis. Leveraging machine learning and the right data, organisations today can see which threats pose the greatest overall risk to their infrastructures and focus their resources accordingly.”
Kenna Security partnered with the Cyentia Institute to build the report, which analysed five years of historical vulnerability data; millions of data points compiled from over 15 sources. A total of 94,597 Common Vulnerability Exposures (CVEs) from Mitre were also utilised in this research.