In talking with many Chief Security Officers, we hear consistently that vulnerability prioritization is a difficult issue. Indeed, a recent study by the Ponemon Institute showed nearly 60% of surveyed CISOs admit to being breached by known but unpatched vulnerabilities. This isn't too surprising as there are about 1,000 new vulnerability disclosures each month – and the disclosure rate has been trending like this since 2017.
But what if one of your technicians is telling you “we patch everything”? Well, a statement like this needs to be unpacked. Often, it’s the case that what is really meant is that “we patch certain vulnerabilities in a certain amount of time” – meaning that “patch everything” really refers to meeting an internal standard. It is important for managers and executives responsible for vulnerability management to understand those internal standards – as it likely means there are unmitigated risks.
What is your organization’s definition of “patching everything”? We look at three key facets to understand – items that often make it easy to make such a statement but still have the associated risks. These include:
- How long does it take to patch or otherwise remediate
- Does the criteria include low and medium scored NIST vulnerabilities
- Are both internal and external assets considered
We examine the importance of understanding each of these in today’s video.
The idea here is that the discussion should be less one of reducing the scope of the problem (i.e. inherently limiting what vulnerabilities are remediated) but rather how do we best prioritize to reduce risk.
CYR3CON PR1ORITY enables risk reduction by predicting which vulnerabilities will be used in exploits by hackers. The platform combines threat intelligence from the hacker community with machine learning. Check out our e-book, Do More With Less to understand how to take this new approach to managing vulnerability risk and gain efficiencies in your security operations.