Cyberattacks can cost millions to resolve and make headline news. The attack surfaces keep expanding as organizations connect assets, allow remote work, and promote virtual customer engagement. It’s hard to keep up in today’s intense threat landscape.
How are organizations weathering this complexity? The E Com Security Solutions survey set out to uncover the answers by exploring the current state of vulnerability management based on insights from over 1500 security and technology professionals. The survey revealed some areas of strength and some opportunities. Below are the Insights on the three phases of vulnerability management.
PHASE 1: IDENTIFYING VULNERABILITIES
Current scanning tools are underperforming: Our study revealed that most organizations direct significant time and resources into vulnerability identification, and most feel they handle this phase well. Of note, the percentage of organizations that rank their vulnerability identification practices as “effective” and the percentage of organizations that conduct frequent vulnerability scans are comparable. The fact that 67% of organizations conduct frequent scans is positive news. But that means one-third (33%) of organizations’ vulnerability identification practices are subpar. Seventeen per cent (17%) say they conduct periodic, ad hoc scans, 15% conduct infrequent scans, and 1% don’t identify vulnerabilities.
Although vulnerability identification is a perceived strength overall, organizations encounter some roadblocks. Fifty-eight per cent (58%) ranked coverage (the breadth of vulnerability detection) and accuracy (concerns about false positives and negatives) as pressing challenges.
Timeliness was the next most cited problem area, followed by lack of visibility across the attack surface. These challenges indicate that current vulnerability scanning tools may be underperforming. Moving away from entry-level scanning tools to more robust vulnerability management platforms can significantly improve identification practices.
PHASE 2: PRIORITIZING VULNERABILITIES
Non-standard and legacy approaches need to evolve: Our study found that 40% of organizations feel they perform vulnerability prioritization effectively, with 30% believing they manage this phase efficiently. The high use of non-standard or outdated approaches may contribute to organizations’ limited success in prioritization. Nearly half (47%) of all respondents rely on proprietary methodologies during this phase. Additionally, 26% of respondents use the Common Vulnerability Scoring System (CVSS), a legacy approach that measures technical severity, not business risk. Of those using legacy approaches, 60% say their teams spend more than 50% of their time prioritizing vulnerabilities. The two most used methodologies are prioritizing based on asset criticality (63%) and time of first detection (61%).
However, our findings reveal the asset criticality approach, while valuable, often presents difficulties. When asked about their top vulnerability prioritization challenges, nearly 60% of respondents cite quantifying or identifying asset criticality as a top barrier to success.
The top-ranked difficulty, cited by 63% of respondents, is integrating threat intelligence of actively exploited vulnerabilities. More than 50% view the explainability of prioritization results and identification of too many high or critical vulnerabilities as problem areas. Staffing constraints and manual processes are challenges for nearly half of the respondents. Among those who cite staffing or manual processes as a top three challenge, 44% say their teams spend 50% or more of their time on prioritizing vulnerabilities.
The use of multiple methodologies can complicate prioritization. Another complication during this phase is the use of numerous prioritization approaches. Almost eight out of ten respondents (79%) use at least two approaches, with nearly half using three or more. Fifty-three per cent (53%) of larger organizations report using three or more prioritization methodologies. Often, when an organization finds that an initial prioritization method doesn’t yield desired results, they pursue a second or third method. Instead of driving improvement, these additional approaches can flag too many vulnerabilities that need attention, a problem cited by half of the respondents.
As a result, teams may focus on managing vulnerabilities that don’t pose a significant, near-term risk and miss remediating more serious threats. More sophisticated vulnerability management platforms provide comprehensive prioritization methods that flag vulnerabilities likely to cause business risk, preventing a more piecemeal, ad hoc approach. These risk-based approaches can synthesize 100+ data inputs to derive a single prioritization risk score.
PHASE 3: REMEDIATING VULNERABILITIES
Few organizations succeed in remediation: Our study uncovered that few organizations are adept at remediating vulnerabilities. Only 9% believe they are effective, and 11% affirm they are efficient at remediation. When asked about top challenges, 51% cite how to prioritize which vulnerability to address first as a chief problem. The following two top issues, automatically applying the correct patches across the entire infrastructure and matching vulnerabilities to the proper remediation activity, concern 48% of respondents. Forty-five per cent (45%) identify eliminating human error as a top issue.
Today, most organizations use a mix of tools to remediate vulnerabilities, and 74% of respondents say they use three or more approaches. The most used tool is IT ticketing software (68%), followed by collaboration tools (66%, and endpoint management (63%). 95% of organizations aim to reduce manual processes. Given the significant challenges of vulnerability remediation today, many organizations know they must evolve. And many are taking positive steps in the right direction. Over 95% of respondents indicate that their organizations aim to reduce manual processes. Two-thirds (65%) prioritize manual process reduction in the next year, with 30% addressing this issue over the next two to four years.
Moving away from manual processes signals that more organizations may be preparing to embrace automated vulnerability remediation. Automating parts of the process simplifies routine remediation tasks such as patch management, vulnerability to patch correlation, software distribution, operating system deployment, and more to keep systems protected. This approach allows security and IT professionals to focus on higher-level activities and more complex threats.
E COM SECURITY SOLUTIONS’ – CYBER RANGE SOLUTIONS
The E Com Security Solutions Cyber Range solution creates immersive simulations to guide your team through realistic breach scenarios, helping ensure you can respond and recover from enterprise-level cyber security incidents, manage vulnerabilities, and build a stronger security culture in your organization. The E Com Security Solutions Cyber Range virtual experiences provide immersive simulations to strengthen your organization’s cyber response, improve resilience, and fix vulnerabilities—anywhere in the world.
