Vulnerability Management Programs Are Broken - Data Suggests

The latest research from Vulcan Cyber reveals vulnerability management programs have work to do to achieve risk-based prioritization.

Rhett | December 16, 2021

TEL AVIVDec. 16, 2021 – Vulcan Cyber®, developers of the industry’s only cyber risk management platform for infrastructure, application, and cloud security, today announced the latest results of its ongoing research into risk prioritization & mitigation and risk-based vulnerability management programs. Its findings highlight the struggle of IT security teams to transition from simple vulnerability identification to meaningful response and mitigation, limiting the risk insights business leaders and IT management professionals need to effectively protect valuable business assets.

According to a Vulcan Cyber survey of more than 200 enterprise IT and security executives conducted by Pulse, 86% of respondents rely on third-party vulnerability severity data to prioritize vulnerabilities with an additional 70% relying on third-party threat intelligence. This trend underscores the status quo in many cyber security organizations today in which many teams over-rely on metrics from third-party sources that lack the necessary context to understand and actually reduce risk specific to the enterprise.

“While IT security teams work hard to defend the modern enterprise, it’s clear that traditional threat intelligence and metrics like vulnerability severity scores are incapable of generating the business-specific insight necessary for comprehensive protection,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, “Cybersecurity teams need the insights, processes, and tooling to prioritize risk for the assets that matter most to their business success.”

The Vulcan Cyber survey also found that the majority of respondents group vulnerabilities by infrastructure (64%), followed by business function (53%) and application (53%). Risk prioritization associated exclusively with infrastructure and application groupings is not meaningful without asset context.

“Risk without business context is irrelevant. A CISO doesn’t care about the risk posture of a server and database used by janitorial services to manage paper towel inventory levels. But if the exact same server had thousands of customers’ personally identifiable information on it, that would constitute an entirely different and significantly more severe level of cyber risk,” Bar-Dayan continued.

The survey data indicates widespread misalignment among vulnerability management program practices in use today. 78% of respondents said highly-prioritized vulnerabilities should be ranked lower, while 69% of respondents also said that lower-ranked vulnerabilities should be ranked higher. More than 80% of respondents agreed that they would benefit from increased flexibility to prioritize vulnerabilities based on their particular risk environment. “Gut feel” should be quantifiable in risk measurement.

To score and prioritize vulnerabilities, the vast majority of decision-makers reported using two or more of the following models: the common vulnerability scoring system (CVSS) (71%), OWASP top 10 (59%), scanner reported severity (47%), CWE Top 25 (38%), or bespoke scoring models (22%). To deliver meaningful cyber risk management a bespoke scoring model that accounts for several industry-standard scoring systems is ideal and most efficient.

“Security teams need more control for better accuracy in scoring, prioritizing, and mitigating cyber risk. Risk-based vulnerability management practices lack a common framework, which limits the ability of business leaders and IT teams to work collaboratively with security to effectively reduce cyber risk to their organizations. As a result, cyber hygiene continues to be fall short almost industry wide and organizations remain exposed,” said Bar-Dayan.

A slight majority of survey respondents (54%) reported the most concern over sensitive data exposure as the result of application vulnerabilities, followed by broken authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Respondents also indicated that MS14-068 (Microsoft Kerberos unprivileged user accounts) was the most concerning vulnerability to their organizations, over high-profile vulnerabilities such as MS08-067 (Windows SMB aka: Conficker, Downadup, Kido, etc.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL aka: Heartbleed), and MS17-010 (EternalBlue).

For additional insights from the most recent Vulcan Cyber survey, download the white paper, How are Cyber Security Teams Prioritizing Vulnerability Risk?

Manage Your Cyber Risk Now

To see Vulcan Cyber in action, please request a demo or watch an on-demand version here. If you need vulnerability prioritization or remediation intelligence now, consider Vulcan Cyber freemium services such as Remedy Cloud or Vulcan Free.

About Vulcan Cyber

Vulcan Cyber® breaks down organizational cyber risk into measurable, manageable processes to help security teams go beyond their scan data and actually reduce risk. With powerful prioritization, orchestration and mitigation capabilities, the Vulcan Cyber risk management SaaS platform provides clear solutions to vulnerability management programs to help manage risk effectively. Vulcan enhances teams’ existing cyber environments by connecting with all the tools they already use, supporting every stage of the cyber security lifecycle across cloud, IT and application attack surfaces. The unique capability of the Vulcan Cyber platform has garnered Vulcan recognition as a 2019 Gartner Cool Vendor and as a 2020 RSA Conference Innovation Sandbox finalist.

Media contact: 

Dex Polizzi  

Lumina Communications on behalf of Vulcan Cyber 

vulcan at luminapr dot com

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy