Instead of trying to find and patch every vulnerability for customers, it might be time for MSSPs and CISOs to rethink their risk mitigation strategies. To understand why, consider the math:
The result: Even the best staffed and resourced IT teams cannot fix all of the vulnerabilities across their infrastructures, said Kenna Security, a risk-based vulnerability management specialist that operates as a unit of Cisco Systems.
Stated another way: Properly prioritizing vulnerabilities to fix is more effective than increasing an organizations' capacity to patch them, Kenna believes. Better still, possessing both capabilities can lower an entity’s measured exploitability by 29 times, the company’s researchers said in the eighth volume of its wider study Prioritization to Prediction, entitled Measuring and Minimizing Exploitability.
High-Risk Vulnerabilities: What the Data Says
In the decade from 2010 to 2020, Kenna assigned a total of 203 CVEs with the highest risk score of 100. It's wiser to move away from prioritizing fixing of vulnerabilities based on CVSS scores and instead focus on high-risk vulnerabilities, said Ed Bellis, Kenna’s co-founder and chief technology officer. "Exploitations in the wild used to be the best indicator for which vulnerabilities security teams should prioritize,” he said. “Now we can show the likelihood of a particular organization being exploited…This gives organizations a much better chance at combating potential cyber threats effectively,” said Bellis.
Exploitability was determined using the open Exploit Prediction Scoring System (EPSS), a cross-industry effort including Kenna and the Cyentia Institute, a partner in the research, as maintained by FIRST.org.
Some additional findings from the research include:
- 95% of IT assets have at least one highly exploitable vulnerability.
- Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS in minimizing exploitability.
- Mentions on Twitter have roughly 2x better signal-to-noise ratio than CVSS.
- 87% of organizations have open vulnerabilities in at least a quarter of their active assets, and 41% of them show vulnerabilities in three of every four assets.
- 62% of vulnerabilities have less than a 1% chance of exploitation. Only 5% of CVEs exceed 10% probability.
Kenna's Methodology Explained
Kenna said its methodology maps to a Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, issued by the Cybersecurity and Infrastructure Security Agency (CISA) in November 2021 ordering federal agencies to immediately fix hundreds of known hardware and software vulnerabilities already exploited by threat actors to attack government networks and systems. It covers about 90 known security flaws identified in 2021 and roughly another 200 observed in use by hackers dating to 2017, and applies to federal, executive branch, departments and agencies.
The order has multiple implications for managed security service providers (MSSPs), including:
- MSSPs that proactively patched government systems before the order arrived could potentially solidify their reputations within and across U.S. government agencies.
- Government-focused MSSPs late to the patching effort could be left scrambling to close agency vulnerabilities.
- MSSPs seeking to enter the U.S. government market or expand their vertical market footprint can pitch vulnerability assessment and patch management services to help win business.