Vulnerability administration: Most orgs have a backlog of 100K vulnerabilities

The menace panorama by no means stands nonetheless. Virtually on daily basis there’s a brand new vulnerability rising in some kind or one other. In actual fact, in line with NIST, there have been 18,378 vulnerabilities reported in 2021, and most organizations’ vulnerability management packages aren’t match for function.

Every of those vulnerabilities presents a possible entry level for attackers to take advantage of and acquire entry to delicate data. Nonetheless, many organizations lack the inner experience or assets to patch these vulnerabilities on the tempo required to maintain their environments safe. 

New analysis launched by Rezilion and Ponemon Institute immediately discovered that 66% of safety leaders report a vulnerability backlog of over 100,000 vulnerabilities. It additionally revealed that 54% say they had been in a position to patch lower than 50% of vulnerabilities within the backlog. 

Above all, the info signifies that the way in which most enterprises strategy vulnerability administration isn’t scalable or match for function, and it’s offering cybercriminals with ample avenues to realize entry to mission-critical information. 

Why vulnerability administration is proving tough 

The struggles of vulnerability administration aren’t essentially new. In line with NTT Application Security, the common time to repair a vulnerability in 2021 was 202 days. Rezilion’s analysis additionally highlights that remediation is an issue, with 78% saying that high-risk vulnerabilities take longer than 3 weeks to patch. 

On the coronary heart of this failure to mitigate vulnerabilities successfully, is the shortage of mandatory instruments. 

“What it comes all the way down to is a scarcity of instruments, individuals and knowledge to correctly deal with this problem. Respondents to the survey say there are a selection of explanation why that is taking so lengthy, together with the lengthy period of time it takes and the complexity of the duty,” mentioned CEO and cofounder of Rezilion, Liran Tancman. 

“Among the components they talked about embody an incapacity to prioritize what must be fastened, and a scarcity of efficient instruments and a scarcity of assets. The dearth of assets is no surprise because the expertise crunch in safety is properly documented,” Tancman mentioned. 

Tancman additionally highlights that few organizations have the visibility or context mandatory to find out what wants patching, which makes tackling a backlog overwhelming. 

Nowhere is that this lack of visibility extra clearly demonstrated than with many organizations’ failure to patch Log4j, with a report launched earlier this yr discovering that 70% of corporations who beforehand addressed the vulnerability of their assault floor are nonetheless struggling to patch Log4j-vulnerable belongings and stop new situations resurfacing.

Automation is the reply 

Fortuitously, automation offers an efficient reply to the problem of vulnerability administration by enabling safety groups to automate the vulnerability scanning course of and repeatedly determine exploits.  

This not solely decreases the time taken to remediate vulnerabilities, however frees up the security team to concentrate on more-rewarding duties. Rezilion’s analysis means that automation could be a important pressure multiplier for safety groups, with 43% saying there was a considerably shorter time to reply.

It’s value noting that, for one of the best outcomes, organizations ought to look to implement options that supply risk-based prioritization in the event that they need to maximize the effectiveness of their vulnerability administration program. 

“One of many largest modifications you may make is to concentrate on the vulnerabilities which can be being exploited within the wild. That ought to be the No.1 objective and can drive down probably the most threat the quickest,” mentioned Craig Lawson, VP Analyst at Gartner, in a blog post. 

Suppliers like Tenable, Balbix and Seemplicity are all experimenting with risk-based vulnerability administration to assist safety groups concentrate on patching high-risk vulnerabilities first, primarily based on present exploitation exercise and publicity, in order that they don’t waste time on lower-value vulnerabilities.