Tenable
Vulnerability Intelligence Report
Summary In this report, we provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. We analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory. Our study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same. 3 Throughout this report, we use the terms “vulnerability” and...
Summary In this report, we provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. We analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory. Our study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same. 3 Throughout this report, we use the terms “vulnerability” and “CVE” interchangeably. Common Vulnerabilities and Exposures1 (CVE) is “a list of entries – each containing an identification number, a description and at least one public reference – for publicly known cybersecurity vulnerabilities.”2 A CVE identifier describes a unique vulnerability, whereby “unique” can refer to unique on a given operating system for a specific version rather than in general. In reality, multiple CVEs can refer to the same “vulnerability” (e.g., a vulnerability affecting a browser available on multiple operating systems such as Microsoft Windows, Red Hat Enterprise Linux and SUSE Linux). To ensure that we have comparable data for new and old vulnerabilities, whenever we refer to “CVSS” or “severity,” we are generally referring to CVSSv2, unless we state otherwise. We generally use CVSSv2 when comparing historical vulnerability data and CVSSv3 only when considering more recent ones, where CVSSv3 data is available. VULNERABILITY INTELLIGENCE report Key Takeaways The growth in new vulnerabilities continues unabated: • 15,038 new vulnerabilities were published in 2017 to CVE3 versus 9,837 in 2016, an increase of 53%. • The first half of 2018 shows an increase of 27% versus the first half of 2017. We are on track for 18,000–19,000 new vulnerabilities this year. Prioritizing based on High severity or exploitability alone is becoming increasingly ineffective due to the sheer volume: • 54% of new CVEs in 2017 were rated as CVSSv3 7.0 (High) or higher. • Public exploits are available for 7% of vulnerabilities. • For vulnerabilities where both CVSS version 2 and 3 scores are available and a comparison is possible (mainly post-2016), CVSSv3 scores the majority of vulnerabilities as High or Critical (CVSSv2 31% versus CVSSv3 60%). Enterprise vulnerability management is a challenge of scale, volume and velocity: • The live population (22,625) of distinct vulnerabilities that actually resides in enterprise environments represents 23% of all possible CVEs (107,710). • Almost two-thirds (61%) of the vulnerabilities that enterprises find in their environments have a CVSSv2 severity of High (7.0–10.0). • Vulnerabilities with a CVSSv2 score of 9.0–10.0 represent 12% of the entire vulnerability population. On average, an enterprise finds 870 CVEs per day across 960 assets4. This means that prioritization methodologies based on remediating only Critical CVEs still leave the average enterprise with more than a hundred vulnerabilities per day to prioritize per patch, often on multiple systems. • Considerable amounts of old Oracle Java, Adobe Flash and Microsoft IE and Office vulnerabilities were discovered in enterprise environments (some older than a decade). Old, discontinued and end-of-life applications are out there – and legacy applications are still a major source of residual risk. 4 VULNERABILITY INTELLIGENCE report
Read more
Tenable
Cyber Defender Strategies: What Your Vulnerability...

I. EXECUTIVE SUMMARY In this report we analyze real-world end-user vulnerability assessment (VA) behavior using a machine learning (ML) algorithm to identify four distinct strategies, or “styles.” These are based on five VA key performance...

Read more
Tenable
Quantifying the Attacker's First-Mover Advantage

I. EXECUTIVE SUMMARY This report measures the difference in days between when an exploit for a vulnerability becomes publicly available (Time to Exploit Availability) and when a vulnerability is first assessed (Time to Assess). A negative delta...

Read more
Tenable
Cyber Exposure for Dummies

Cyber Exposure Tenable Special Edition by Stacy Moran and Steve Piper These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. Cyber Exposure For Dummies®, Tenable Special...

Read more
Tenable
eBook_Mighty Guide_Reducing Cyber Exposure from Cl...

INTRODUCTION When it comes to IT infrastructure, it’s fair to say that the perimeter has left the premises. In fact, the perimeter has mostly disappeared. But what exactly does that mean? Research by Skyhigh Networks1 finds that the average...

Read more
Tenable
Tenable & IDG Whitepaper_Building a Secure Foundat...

Strategic approach to building a solid foundation There are several best practices companies should take, which will ease the selection and implementation of a security framework. The foundational controls in security frameworks help organizations...

Read more
Tenable
Thirteen Essential Steps to Meeting the Security C...

Once in force, the European Union General Data Protection Regulation (GDPR) will require every multinational company that offers products or services to European Union residents to adhere to a strict set of data privacy and security measures. These...

Read more
Tenable
3 REASONS: Why DevOps is a Game-Changer for Securi...

REASON 1: Built-in Security The practice of integrating security into DevOps is quickly gaining momentum. BUSINESS VALUE CHECKLIST By 2021, secure DevOps processes will be embedded in 80% of rapid development Built-in DevOps security leads to...

Read more
Tenable
Reducing Cyber Exposure from cloud to containers

INTRODUCTION When it comes to IT infrastructure, it’s fair to say that the perimeter has left the premises. In fact, the perimeter has mostly disappeared. But what exactly does that mean? Research by Skyhigh Networks1 finds that the average...

Read more
Tenable
ECONOMIC, OPERATIONAL & STRATEGIC BENEFITS OF SECU...

INTRODUCTION: SECURITY FRAMEWORKS Not so many years ago, a standard security framework was something that large enterprises implemented. Most small and midsized organizations, particularly those in unregulated industries, cobbled together security...

Read more
Tenable
Five Steps to Building a Successful Vulnerability ...

I. Why is vulnerability management so difficult? Vulnerability management poses a unique challenge for businesses. Despite proven technology solutions and the best efforts of multiple IT teams, unresolved vulnerabilities consistently serve as a...

Read more
Tenable
Using Security Metrics To Drive Action

FOREWORD Today’s cybersecurity challenges are more complex than ever before. Technologies like Development Containers, Cloud, BYOD, and BYOA have greatly complicated the security team’s ability to understand all of the potential IT attack...

Read more
Tenable
2017 Trends in Security Metrics and Security Assur...

Introduction Most managers today have heard one or more variations of the old adages “What gets measured gets improved,” and “You can’t manage what you don’t measure.” Few, if any, business managers today, including IT security leaders,...

Read more
Load more