A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch.
Good vulnerability management is not about being fast enough in patching all potential breaches. It’s about focusing on the real risk using vulnerability prioritization to correct the most significant flaws and reduce the company’s attack surface the most. Company data and threat intelligence need to be correlated and automated. This is essential to enable internal teams focus their remediation efforts. Suitable technologies can take the shape of a global Vulnerability Intelligence Platform. Such a platform can help to prioritize vulnerabilities using a risk score and let companies focus on their real organizational risk.
Three facts to have in mind before establishing an effective vulnerability management program:
1. The number of discovered vulnerabilities increases every year. An average of 50 new vulnerabilities are discovered every day so we can easily understand that it’s impossible to patch them all.
2. Only some vulnerabilities are actively exploited and represent a very high risk to all organizations. Around 6% of all vulnerabilities are ever exploited in the wild: we need to reduce the burden and focus on the real risk.
3. The same vulnerability can have a completely different impact on the business and on the infrastructure of two distinct companies, so both the business exposure and the severity of the vulnerability need to be considered. Based on these facts we understand that there is no point in patching every vulnerability. Instead, we should focus on those that pose a real risk based on the threat landscape and the organizational context.
images from Hacker News