This week, smart vulnerability management provider Edgescan has published the findings of its 2022 Vulnerability Statistics Report, which for the 7th year running offers a comprehensive view of the state of vulnerability management globally.
The report reveals that organizations are still taking nearly two months to remediate critical risk vulnerabilities, with the average mean time to remediate (MTTR) across the full stack set at 60 days.
High rates of “known” (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups are not uncommon.
Remote access exposures across the attack surface are a worrying trend and accounted for 5% of total attack surface exposures in 2021.
Crucially, 57% of all observed vulnerabilities are more than two years old, with as many as 17% being more than five years old. These are all vulnerabilities that have working exploits in the wild, used by known nation state and cybercriminal groups. Edgescan also observed a concerning 1.5% of known, unpatched vulnerabilities that are over 20 years old, dating back to 1999.
The size of an organization doesn’t seem to make much difference to MTTR, however, Edgescan has observed significant differences across industries. Healthcare organizations, despite the extreme pressure they have endured in the past two years, come out on top, with an MTTR of just 44 days. At the opposite end of the spectrum, the public administration sector takes an average of 92 days to remediate known vulnerabilities — a month longer than the cross-industry average.
We asked cybersecurity experts what they thought of the findings:
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center):
“When addressing the business risk in the software you operate, timely remediation of threats is key. That’s why when a report highlights that the mean time to remediation (MTTR) of vulnerabilities in APIs and web apps takes 48 days, DevSecOps teams should take notice. Since most organisations will triage issues as part of their efforts to keep abreast of the ever increasing number of CVEs disclosed, it’s not just a case of remediation of one vulnerability, but rather the risks associated with the long tail of unpatched vulnerabilities. The Edgescan report highlights that 17% of identified vulnerabilities in the report’s dataset are related to vulnerabilities that are over five years old. Worse still, six vulnerabilities represented 24% of the total vulnerabilities encountered in the report – though most had a CVSS score of medium or lower. While lower CVSS scores tend to indicate lower risk, unless DevSecOps teams review their triage notes against new deployments and as part of ongoing threat modelling, it’s entirely possible that the system configuration that allowed for a vulnerability to be labelled an acceptable risk might have changed sufficiently to allow for that older, unpatched vulnerability, to become part of a successful attack chain.”
Irfahn Khimji, Chief Systems Engineer at Tripwire:
“The longer a vulnerability is in the wild, the more time an attacker has to prepare an exploit. The quicker an organization can remediate vulnerabilities, the better protected they are. Organizations often work to building a model focused around remediating new vulnerabilities but forget to look for and remediate older vulnerabilities.
When prioritizing remediation, it is important to look at factors such as how easy it is to exploit the vulnerability, the privilege an attacker would gain upon successful exploitation, and the age of the vulnerability. This will help the organization remediate the most critical vulnerabilities and not just focus on the 0-days.”
Chris Clements, VP, Security Architecture, Cerberus Sentinel:
“It may seem simple and straightforward to remediate security vulnerabilities, but there a so many factors that complicate the process that in practice it can take extended time to resolve even simple issues, leaving organization vulnerable to compromise in the meantime. Computer networks with scale beyond a few hundred endpoints quickly become difficult to comprehensively track and manage with potentially dozens of different operating systems that themselves house hundreds of software applications. Most organizations have a patching strategy for the most prevalent operating systems in their environment, but far fewer have a well-functioning process for popular attack targets like PDF readers or other desktop software. Even fewer have a formal process for identifying risks from vulnerabilities in systems that may be less common such as Linux and especially network appliance systems that rely on manual patching processes.
This is also predicated on the assumption that every device on the network is cataloged and that someone in the organization has been made responsible for installing security updates, which is far from assured especially in larger organizations. Another factor that contributes to delays in remediating security vulnerabilities can stem from hesitance about how patches may affect system or application functionality and stability. It’s an unfortunate truth that there are reliably one or two patches released every year that cause significant issues that require a rollback or reconfiguration to restore normal operation. This causes organizations to properly prepare for patch installation that may require coordinating and scheduling with multiple different teams as well as a fallback plan in case issues arise. Finally, for software developed in house, it may take developers time to safely correct identified vulnerabilities in a way that does not meaningfully impact performance or functionality.”
Andy Norton, European cyber risk officer at Armis:
“Not being able to patch faster than the bad guys can attack, is an unfortunate reality, even for regulated industries with supporting legislation where 72 hours is a mandated window to find and demonstrate effective patching has been applied and communicated back to the relevant competent authority. Cyber resilience as prescribed in many frameworks is a defence in depth approach to security where no single metric or weakness is ultimately an indicator of survivability.”