Unpatched Vulnerabilities Caused Breaches in 27% of Orgs, Finds Study
In May 2019, Verizon Enterprise released the 12th edition of its Data Breach Investigations Report (DBIR). Researchers analyzed a total of 41,686 security incidents, of which there were 2,013 data breaches, for the publication. More than half (52 percent) of those reported breaches involved some form of hacking.
The report listed the most prominent hacking variety and vector combinations, with “vulnerability exploitation” making the top three. As this has continued to remain a long-standing problem over the years, how are organizations addressing vulnerabilities today?
To answer that question, Tripwire partnered with Dimensional Research to survey 340 information security professionals about trends in vulnerability management (VM).
A Lack of Focus on Managing Vulnerabilities
Tripwire’s study revealed that many organizations could be doing more to manage their vulnerabilities. Supporting this conclusion, 27 percent of survey participants said their employer had suffered a data breach as the result of an unpatched vulnerability. The rate was even higher for European organizations at 34 percent.
It’s not that organizations have no means of recourse, however. They can reduce significant cybersecurity risk with a strategic vulnerability management program. This starts with obtaining visibility of their attack surface. This requires the ability to detect new hardware and software that connect to the network.
Speed is key when it comes to network visibility. Unfortunately, many survey participants disclosed that their employers didn’t have it. More than a fifth (21 percent) of IT security professionals told Tripwire that it took their organizations a matter of days to detect new IT assets. For 10 percent, it was months or longer, while 11 percent admitted that their employer lacked the ability to discover new hardware and software altogether.
Tim Erlin, vice president of product management and strategy at Tripwire, said this lack of asset discovery capabilities is a problem because it limits the overall effectiveness of an enterprise vulnerability management program:
Finding vulnerabilities is just a part of an effective vulnerability management program. It’s important for organizations to focus on building a program instead of deploying a tool. Vulnerability management has to include asset discovery, prioritization and remediation workflows in order to be effective at reducing risk.
Visibility wasn’t the only thing that was lacking from organizations’ vulnerability management strategies. Tripwire also found that organizations’ overall approach to VM left room for improvement. Half of survey participants revealed that their employers had only enough resources to apply their program to high-severity vulnerabilities, while 16 percent of respondents said that vulnerability scans were conducted solely to meet compliance or other requirements.
Given these strategic shortcomings, it’s no surprise that some VM programs lacked substance. Twelve percent of IT security professionals told Tripwire that their employers don’t run vulnerability scans. Of the 88 percent that did, only 63 percent revealed that they run authenticated scans.
Erlin explained: “How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk. If you are not doing authenticated vulnerability scans, or not using an agent, then you are only giving yourself a partial picture of the vulnerability risk in your environment.”
Setting a VM Program on the Right Track
So what’s stopping organizations from addressing these shortcomings? The greatest percentage of survey respondents (78 percent) told Tripwire that their people and processes were the biggest challenge. That’s not too surprising given the industry’s skills gap.
In a previous blog post, Erlin suggests approaches to this challenge.
The skills gap doesn’t have to be an operational gap. Security teams shouldn’t overburden themselves by trying to do everything on their own. They can partner with trusted vendors for managed services or subscribe to service plans where outside experts can act as an extension of the team.
The research findings show a lot of opportunities for organizations to improve their security posture through better vulnerability management. To read the full report, including additional findings on patchings, please click here.