Enterprise vulnerability management as effective as 'random chance'
New research suggests that predictive models could pave the way for more efficient cybersecurity remediation strategies.
The enterprise is not up to speed when it comes to cybersecurity remediation strategies, it seems.
According to a new report by Kenna Security and the Cyentia Institute, a lack of planning and structure in patch management, vulnerability fixes, and cybersecurity risk management has led to cybersecurity strategies which are based on chance and luck, rather than organized vulnerability resolution models.
Released on Tuesday, the research, dubbed "Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies," further suggests that the volume of vulnerabilities which impact the enterprise is on the rise.
Since Mitre's inception and up to January 2018, over 120,000 Common Vulnerability Exposures (CVEs) have been created. In total, roughly 21,000 are 'reserved,' in other words, they are security flaws which have been allocated a space but specific details of bugs have not yet been made public.
Kenna Security and the Cyentia Institute analyzed 94,597 CVEs from Mitre alongside millions of security data points collected from multiple sources including resources from the SANS Internet Storm Center, Securewords CTU, Alienvaults OSSIM, and Reversing Labs.
(The researchers dismissed some records from Mitre's overall 120,000 in their analysis as unverifiable or as in dispute.)
According to the cybersecurity firm's analysis of public vulnerabilities, in 2017 alone, businesses on average were forced to decide how to address an average of 40 new vulnerabilities per day.
With so many new vulnerabilities being published, some businesses may flounder when it comes to developing effective patch strategies.
Speed is another issue that may prove to be a challenge to the enterprise.
The greatest number of exploits leveraging new vulnerabilities are developed and published in the first month after release, with 50 percent of exploits published, on average, within the first 14 days.
When exploit code has been developed, the chance of a vulnerability being exploited in the wild was seven times higher on average. At the time of writing, the amount of CVEs with associated exploit code is 22 percent.
Only one percent of exploits emerge after a year has passed.
Realistically, in order to keep critical businesses systems protected, companies have roughly 10 working days to check whether or not they are affected by a new bug and patch the problem.
This can become a hunt for a needle in a haystack depending on whether or not a business utilizes third-party applications, cloud and off-premise services, mobile devices, the Internet of Things (IoT), and open-source components.
However, the vast majority of bugs -- 77 percent -- are never used in exploits, and only an estimated two percent are utilized in cyberattacks.
In order to remediate these vulnerabilities, enterprises must, therefore, weigh up risk and efficiency. If resolving a security flaw is not cost-effective, companies are less likely to do so -- and when firms are floating in an ocean of bugs, remediating each and every one is just as inefficient as dealing with some vulnerabilities at random.
In addition, vulnerability management has to focus properly on the most critical areas, as a patch program which is either too narrow or too broad will fail.
The team compared 15 common remediation strategies against resolving vulnerabilities at random. According to the report, many current approaches to prioritizing and fixing vulnerabilities are roughly as effective or less effective than addressing security flaws at random.
"Successful vulnerability management, then, balances the two opposing goals of coverage (fix everything that matters) and efficiency (delay/deprioritize what doesn't matter)," the report says. "This is the crux of the remediation prioritization challenge."
Kenna Security and the Cyentia Institute suggests that predictive models based on analytics and machine learning may be able to pose a solution to maintaining this balance, as well as indicate which vulnerabilities IT staff should focus on resolving.
The researchers split the CVE records into two random groups -- the first being a data set in which to generate predictive models with different variables, and the second was utilized to evaluate the conclusions of the model.
The CVSS score, product popularity among vendors, keywords and phrases, and a number of other variables were included in the system. CVSS scores and vendor categories do not work well on their own as indicators of risk, but when all of the variables were included in evaluations, the best results for both efficiency and coverage were the result.
"Success and failure of enterprise security teams and its leaders should be measured, tracked and adjusted based on metrics that can accurately quantify risk and the impact of efforts to reduce them, not a simple number of vulnerabilities closed," the report says. "Comprehensive and unified metrics enable enterprises to understand the effectiveness of remediation strategies based on overall impact instead of the amount of effort."
However, not all vulnerabilities -- and not all businesses -- are created equal, and so different models could be developed to help companies ranging from SMBs to large enterprise players.
For example, one model could be built for SMBs with limited resources and tailored towards the CVEs most likely to be exploited, while others may focus on broad coverage rather than efficiency alone, and vice versa.
"Effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have highest priority, but prioritization remains one of the biggest challenges in vulnerability management, " said Karim Toubba, CEO of Kenna Security. "Businesses can no longer afford to react to cyber threats, as the research shows that most common vulnerability remediation strategies are about as effective as rolling dice."
"A predictive model based on cutting-edge data science is more efficient, requires less effort, and provides better coverage of an enterprises' attack surface," the executive added.