Vulnerability Intelligence Report

Summary In this report, we provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. We analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory. Our study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same. 3 Throughout this report, we use the terms “vulnerability” and...
Summary In this report, we provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. We analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory. Our study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same. 3 Throughout this report, we use the terms “vulnerability” and “CVE” interchangeably. Common Vulnerabilities and Exposures1 (CVE) is “a list of entries – each containing an identification number, a description and at least one public reference – for publicly known cybersecurity vulnerabilities.”2 A CVE identifier describes a unique vulnerability, whereby “unique” can refer to unique on a given operating system for a specific version rather than in general. In reality, multiple CVEs can refer to the same “vulnerability” (e.g., a vulnerability affecting a browser available on multiple operating systems such as Microsoft Windows, Red Hat Enterprise Linux and SUSE Linux). To ensure that we have comparable data for new and old vulnerabilities, whenever we refer to “CVSS” or “severity,” we are generally referring to CVSSv2, unless we state otherwise. We generally use CVSSv2 when comparing historical vulnerability data and CVSSv3 only when considering more recent ones, where CVSSv3 data is available. VULNERABILITY INTELLIGENCE report Key Takeaways The growth in new vulnerabilities continues unabated: • 15,038 new vulnerabilities were published in 2017 to CVE3 versus 9,837 in 2016, an increase of 53%. • The first half of 2018 shows an increase of 27% versus the first half of 2017. We are on track for 18,000–19,000 new vulnerabilities this year. Prioritizing based on High severity or exploitability alone is becoming increasingly ineffective due to the sheer volume: • 54% of new CVEs in 2017 were rated as CVSSv3 7.0 (High) or higher. • Public exploits are available for 7% of vulnerabilities. • For vulnerabilities where both CVSS version 2 and 3 scores are available and a comparison is possible (mainly post-2016), CVSSv3 scores the majority of vulnerabilities as High or Critical (CVSSv2 31% versus CVSSv3 60%). Enterprise vulnerability management is a challenge of scale, volume and velocity: • The live population (22,625) of distinct vulnerabilities that actually resides in enterprise environments represents 23% of all possible CVEs (107,710). • Almost two-thirds (61%) of the vulnerabilities that enterprises find in their environments have a CVSSv2 severity of High (7.0–10.0). • Vulnerabilities with a CVSSv2 score of 9.0–10.0 represent 12% of the entire vulnerability population. On average, an enterprise finds 870 CVEs per day across 960 assets4. This means that prioritization methodologies based on remediating only Critical CVEs still leave the average enterprise with more than a hundred vulnerabilities per day to prioritize per patch, often on multiple systems. • Considerable amounts of old Oracle Java, Adobe Flash and Microsoft IE and Office vulnerabilities were discovered in enterprise environments (some older than a decade). Old, discontinued and end-of-life applications are out there – and legacy applications are still a major source of residual risk. 4 VULNERABILITY INTELLIGENCE report
Read more...