84% of security and IT leaders feel their enterprise programs are mature, but a deeper dive reveals a major disconnect between perception and reality, Vulcan Cyber reveals.
“We already know most enterprise programs are immature – we see it every day in the field. What caught us off guard was that the vast majority of respondents felt otherwise,” said Yaniv Bar Dayan, CEO of Vulcan Cyber.
“Given the amount of breaches caused by known, unpatched vulnerabilities, that reveals a surprising disconnect that merits a closer look. So we mapped the survey data to our maturity model – the only way to raise the bar for vulnerability management is to show IT leaders how to transition their programs from managing vulnerabilities to remediating them.”
Key research findings
- The most mature element of enterprise vulnerability management programs are vulnerability scanning (72%), followed by the effective use of vulnerability remediation tools (49%) and vulnerability prioritization (44%).
- The three least-mature elements are orchestrated, collaborative remediation (48%), continuous, automated remediation (48%) and business alignment around cyber hygiene objectives (31%). This indicates that vulnerability management processes are siloed, ad-hoc, and inefficient, calling into question their ability to produce outcomes that actually remediate vulnerabilities and secure IT.
- 89% of security and IT teams say they spend at least some time collaborating with cross-functional teams to remediate vulnerabilities, with 42% reporting they spend “a lot” or “too much” (7%) time every week working with other teams. A notable 83% of companies that said they spend too much time collaborating with other teams have 500-1,000 employees.
- Roughly 50% of IT and security teams share responsibility for key remediation functions (identifying vulnerabilities, prioritization, crafting remediation strategies, deploying patches and remedies, etc.), revealing an opportunity to facilitate more effective and efficient collaboration by clearly defining the division of labor.
“Vulnerability scanning and prioritization are essential functions, but they are the bare minimum – not what constitutes a mature program,” Bar-Dayan continues.
“In our experience, program bottlenecks are further along in the remediation lifecycle, stemming from inefficient cross team collaboration. Changing that requires organizations to update and automate their remediation processes. It’s a serious undertaking, but one that transforms vulnerability management programs into a powerful lever for shrinking security debt and strengthening the company’s security posture.”
There are unrealized gaps between the rate of implementation or operation and the effective use of cloud security access brokers (CASB) within the enterprise, according to a global Cloud Security Alliance survey of more than 200 IT and security professionals from a variety of organization sizes and locations.
Utilize cloud security solutions
“CASB solutions have been underutilized on all the pillars but in particular on the compliance, data security, and threat protection capabilities within the service,” said Hillary Baron, lead author and research analyst, Cloud Security Alliance.
“It’s clear that training and knowledge of how to use the products need to be made a priority if CASBs are to become effective as a service or solution,” Baron concluded.
The paper found that while nearly 90% of the organizations surveyed are already using or researching the use of a CASB, 50% don’t have the staffing to fully utilize cloud security solutions, which could be remediated by working with top CASB vendors.
CASBs have yet to become practical for remediation or prevention
More than 30% of respondents reported having to use multiple CASBs to meet their security needs and 34% find solution complexities an inhibitor in fully realizing the potential of CASB solutions.
Overall, CASBs perform well for visibility and detecting behavior anomalies in the cloud but have yet to become practical as a tool for remediation or prevention.
- 83% have security in the cloud as a top project for improvement
- 55% use their CASB to monitor user behaviors, while 53% use it to gain visibility into unauthorized access
- 38% of enterprises use their CASB for regulatory compliance while just 22% use it for internal compliance
- 55% of total respondents use multi-factor authentication that is provided by their identity provider as opposed to a standalone product in the cloud (20%)
IT teams require comprehensive visibility into the network driven by a number of factors, including tremendous disruption from the COVID-19 pandemic, relentless technological advances, remote working reaching an all-time high and the expanding security threatscape, according to VIAVI Solutions.
Indeed, 73 percent of respondents said security professionals need comprehensive visibility into network infrastructure to enhance cybersecurity efforts and speed remediation.
Rise in cyberthreats during pandemic
During the global pandemic, infosec professionals are reporting a rise in cyberthreats. And as enterprises increase connectivity, networks are even more exposed to vulnerabilities.
54 percent of respondents have already deployed IoT devices. While another 24 percent of respondents plan to do so in the next 12 months, only 57 percent of them have a mechanism in place to monitor those devices.
In an age of dynamic disruption, IT is increasingly challenged to maintain optimal service delivery, while implementing remote working at an unprecedented scale. It’s not surprising, then, that nearly 60 percent of study respondents cite the need for greater visibility into remote user experiences.
The top challenge for troubleshooting applications is the ability to understand end-user experience (nearly 47 percent).
“As remote working becomes the new norm, IT teams are challenged to find and adapt technologies, such as flow-based reporting to manage bandwidth consumption, VPN oversubscription and troubleshooting applications. To guarantee the best performance and reduce cybersecurity threats, increasing network visibility is now a must for all businesses,” said Charles Thompson, Senior Director, Enterprise and Cloud, VIAVI.
“By empowering NetOps, as well as application and security teams with network visibility, IT can mitigate the impact of disruptive migrations, incidents and new technologies like SD-WAN to achieve consistent operational excellence.”
- A surge in remote users is challenging network and security teams, as evidenced by nearly 60 percent seeking more visibility
- Roughly three out of four respondents agree or strongly agree that SecOps teams need better visibility into network infrastructure to enhance cybersecurity efforts, suggesting that effective collaboration between NetOps and SecOps leads to stronger security posture and faster incident response
- The top troubleshooting challenge that IT network teams now face is understanding end-user experience (nearly 47 percent)
- Among organizations of all sizes, the most used KPI for assessing end-user experience is packet-based metrics (45 percent) followed closely by user-satisfaction metrics (41 percent)
- 54 percent of survey respondents have already deployed IoT devices, yet only 57 percent of those have a mechanism in place to monitor those devices, leaving their networks exposed to vulnerabilities
- SD-WAN has gone mainstream, with the primary motivations for deployment being cost savings (58 percent) and business continuity (50 percent)
Too many organizations have yet to find a good formula for prioritizing which vulnerabilities should be remediated immediately and which can wait.
According to the results of a recent Tenable research aimed at discovering why some flaws go unpatched for months and years, vulnerabilities with exploits show roughly the same persistence as those with no available exploit.
“Defenders are still operating as though all vulnerabilities have the same likelihood of exploitation,” says Lamine Aouad, Staff Research Engineer at Tenable.
The research has also revealed that:
- In organizations that have remediated at least one instance of a vulnerability, nearly one-third of all detected vulnerabilities remain open after a year, and over one-quarter are never remediated – and the percentages are similar for vulnerabilities with exploits
- It takes organizations a median of 29 days to assess the existence of a vulnerability in their environment and a median of 40 days to remediate all instances of it
- The most persistent vulnerabilities are:
- Client-side vulnerabilities
- Vulnerabilities in difficult-to-update/upgrade software
- Vulnerabilities with larger affected software lists
“The more operating systems and product versions a vulnerability affects, the harder it is to fix, leading to persistence. A larger list of CPEs would also reflect a bigger volume of assets in many cases and consequently a higher difficulty to remediate comprehensively by just sheer volume,” Aouad told Help Net Security.
“CVE-2018-8353, CVE-2018-8355 and CVE-2018-8373 are remote memory-corruption vulnerabilities, affecting multiple versions of Internet Explorer, which could allow remote attackers to execute arbitrary code. Their persistence is most likely related to the list of CPEs or affected software configurations.”
Only 5.5 percent of organizations remediate more vulnerabilities than they discover during a given timeframe, Tenable found.
Whether for the lack of resources, effective remediation processes, or simply the staggering amount of newly disclosed vulnerabilities, most organizations cannot keep up with the flow of vulnerabilities they assess in their environment.
Finding the right approach to vulnerability remediation prioritization
Effective vulnerability remediation prioritization is important, but using vulnerabilities’ CVSS scores as the basis for making decisions is not a good choice, as it does not reflect the risk a vulnerability poses to the organization.
CVSS scores can be one element of an effective prioritization formula, but organizations must also take into consideration factors such as whether a vulnerability:
- Is actively exploited
- Is prevalent in their environment and widely present in other organizations’ environments
- Affects critical assets within their environment
- Is targeted via existing attacker toolkits, etc.