Despite the best intentions, most companies take an average of 100-120 days to patch vulnerabilities. And, many companies have critical vulnerabilities that go unpatched altogether.
That’s according to Kenna Security’s Remediation Gap report, which also found that the exploitation of these widespread holes is almost guaranteed: The probability of a vulnerability being exploited hits 90% between 40-60 days after discovery.
This means that the remediation gap, or time that a vulnerability is most likely to be exploited before it is closed, is nearly 60 days.
The report also found that automated attacks are on the rise: There have been over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits witnessed in 2013 and 2014 combined—an increase of 445%.
Unlike more widely publicized advanced persistent threats, these non-targeted attacks pose a much different challenge for security organizations. Rather than targeting a specific company, attackers attempt to exfiltrate valuable data from as many companies as possible, relying on automated tools and techniques to scale their attacks and exploit commonly found vulnerabilities.
The recent discovery of the Heartbleed vulnerability in the OpenSSL brought this to the forefront as a threat that exploited multiple targets at once.
“The public has grown plenty familiar with hackers seeking out a specialized target, such as Ashley Madison. But automated, non-targeted attacks still remain the most significant threat to businesses of all sizes,” said Karim Toubba, CEO of Kenna. “Every company has data that hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers.”
He added, “Companies will continue to face the cold reality that throwing people at the problem is no longer sufficient for remediating vulnerabilities and combatting the sheer volume of automated attacks. They need solutions that are as automated as the attacks that continue to hammer them—fixing vulnerabilities manually is no longer possible in the 'new normal.’”