The pace of vulnerability exploitation continues to snowball: Organizations are not able to secure the holes within their environment faster than cyber-criminals can wreak havoc.
A full 82% of organizations in a recent survey from NopSec indicated their current remediation process is broken, and 37% noted that current remediation processes need major improvement. The findings dovetail with the 2015 Verizon Data Breach Investigations Report, which found that 99.9% of vulnerabilities are still able to be exploited over a year after they were disclosed.
"Vulnerability scanners provide visibility into potential network, application and endpoint risks, but much of the value of that data is lost in a never-ending deluge of spreadsheets, ineffective business processes and lack of cross-team communication. Security teams are already drowning, and more data is not always the answer," added NopSec's vice president of strategy and operations, Kevin Ketts. "Organizations need clear visibility on what to fix, as well as when and how to fix it."
Even though organizations claim to be actively detecting threats across their environment—nearly 70% noted they scan on a daily or weekly basis—they are still lost when it comes to next steps.
More than half (51%) of organizations surveyed cited data overload as their biggest challenge to prioritizing data generated from vulnerability scanning, followed by lack of resources (46%) and too many false positives (34%).
Roadblocks to faster remediation include lack of resources (78%), competing priorities among internal teams (76%) and validity of vulnerability data/false positives (70%).
However, the boardroom might not fully understand the importance of vulnerability remediation—60% of those surveyed stated company executives are only "somewhat" to "not at all" informed about the risk posed to their business from today's security threats.
Organizations recognize the value of additional context with the majority of respondents (85%) citing the use of open-source, commercial threat intelligence feeds, or a combination of both, within their current vulnerability management programs.
Yet, security vulnerability prioritization is not as sophisticated—45% of respondents are still using basic risk forecasting based on the CVSS score, asset classification and/or manual processes.
Surprisingly, only 40% of the organizations surveyed stated they have metrics in place to measure the success of their vulnerability management program.
Organizations know that improving prioritization and remediation is critical to drastically reducing the risk of a data breach. Respondents called out three vulnerability management priorities in 2016: implementing tools to improve vulnerability and threat prioritization (50%), scanning networks and applications more frequently (42%), and improving communication between remediation teams (40%).
"Organizations are finally realizing that the compliance checklist mentality is not enough when it comes to vulnerability management, and that it is essentially worthless when it comes to actual remediation," noted Arnold Felberbaum, strategic advisor to NopSec, former CISO, and adjunct professor in Information Security at NYU Tandon School of Engineering, who also contributed to the survey. "Properly prioritizing vulnerabilities and working across teams to rapidly remediate the top threats is the only way we can close the gap and keep up with the onslaught of cyber-attacks."