Content, Content

Three in Four Vulnerability Management Programs Ineffective, NopSec Research Finds

Risk management and mitigation to reduce exposure for financial investment, projects, engineering, businesses. Concept with manager’s hand turning knob to low level. Reduction strategy.

How at risk are organizations to unsecured vulnerabilities in their networks? NopSec, a threat and exposure management provider, gives us the answers in a new study of some 430 cybersecurity professionals.

Are security teams finding successful approaches to their vulnerability management, or are “open doors around their attack surface” leaving them susceptible to disaster in their organization? The answer, as it turns out, is that some organizations are better at detection, response and remediation of their vulnerabilities.

Perhaps more importantly, others are not as locked down as they believe, according to the report. Keeping track of known vulnerabilities and responding quickly is one thing, but locating flaws they did not previously know existed is quite another.

Data Highlights from the Report

Prioritizing risk around exploitability and criticality is a top objective.

  • Other top objectives include identifying known vulnerabilities and gaining a clear picture of insider threats to their attack surface.

Seventy percent say their vulnerability management program (VMP) is only somewhat effective or worse.

  • Only 30% of respondents have a very effective VMP.
  • 36% said their program is at least somewhat effective.
  • 34% responded that their VMP was not very effective at all.

The top challenge is shadow IT.

  • Blind spots in the attack surface limiting visibility into total risk exposure is the top challenge for security teams.
  • A lack of trained staff to remediate vulnerabilities is another top challenge.

Teams have insufficient threat intelligence.

  • 53% of respondents said their organization does not consume third-party threat intel, such as penetration tests, vulnerability disclosures and IP or domain reputation scores.
  • 58% also do not use a risk-based rating system to prioritize vulnerabilities.

Vulnerabilities take too long to patch.

  • Only 18% said vulnerabilities require remediation within 24 hours of becoming known.
  • 62% of companies take 48 hours or longer — some more than two weeks —t o patch known critical vulnerabilities.

A rise in vulnerabilities.

  • 58% of companies that track the volume of vulnerabilities have seen them double, triple or quadruple over the past 12 months.
  • 22% reported the same level of vulnerabilities. Attacks are more sophisticated than ever. More than any other characterization, companies say they are seeing an increase in the sophistication of attacks.
  • Security teams are seeing more DDoS attacks.

Risk Calculates Vulnerability

Lisa Xu, NopSec chief executive, says the future of vulnerability is risk based:

"I often see that, without a risk-based approach to prioritizing the ever-growing list of vulnerabilities, organizations leave themselves exposed. What this report found is that some organizations have effective ways to detect, respond to, and remediate their vulnerabilities, while other organizations have more blind spots than they think.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.