In real life, hyperspace doesn’t feel fast. It has not taken long for IT to move from green-on-black monochromatic screens and magnetic tape data storage to public clouds and IoT. But although computing has left Moore’s law in the dust, one fact has stayed constant: software vulnerabilities are a significant enterprise security problem.
Coding and design mistakes have made their way into shipped applications since software’s year zero. For threat actors looking for ways to pivot attacks, developer mistakes are accessible backdoors for malware deployment and victim compromise. Today, with software use growing exponentially, this problem has compounded into an immense threat. From common or garden SQL injection attacks to exploits like the one that hit SolarWinds, unpatched vulnerabilities cause at least 60% of all data breaches.
To keep the vulnerability flood waters at bay, IT security teams practice vulnerability management to discover technological weaknesses in their IT environments and prioritize which ones to fix first. The core challenge of this practice is that it needs to scale with a company. Every time an organization adds another application or system, security teams must cover more ground to find and fix vulnerabilities. It doesn’t help that as software gets more complex (and is frequently sold before it’s actually “finished”), vendors are releasing torrents of patches—sometimes hundreds in a single day.
On average, an organization now spends around 18,000 work hours looking for and patching vulnerabilities annually. Here’s why figuring out how to spend this time efficiently is an urgent challenge.
There Are More Places for Vulnerabilities to Hide
Good defenders might understand how systems work and where vulnerabilities are, but genuinely effective security teams are also aware of what they do not know. Worryingly, despite soaring investment in security tool stacks, the amount that IT security teams know about their domains is in free fall. According to a recent survey, 58% of organizations are now conscious of fewer than 75% of the assets on their network.
The prime suspects for hiding 25% or more of network assets from security teams are employees. Thanks to the rise of easy-to-use third-party software and other developments like no-code technology, workers in verticals like marketing and HR are independently deploying IT applications to make their jobs easier (i.e., “shadow IT”).
Shadow IT is indicative of a broader movement. To stay competitive in a world where business needs, and even employee locations, change all the time, modern enterprise IT is decentralizing. Sanctioned or not, shadow IT makes up between 30% and 50% of all IT spending in enterprises and is a trend that’s not going away. According to one report, the average number of SaaS apps running on corporate networks could be over three times what IT departments think. At this point, putting shadow IT back in its box is probably impossible for IT teams to do.
Vulnerabilities Are Infinite, But Resources Aren’t
Shadow IT might be making it almost impossible for internal teams to get an accurate picture of a company’s vulnerabilities. But even when teams know exactly where vulnerabilities are and patches are available, an important question remains: which ones to fix first?.
The truth is that only a tiny proportion of vulnerabilities are dangerous. There were over 20,000 CVEs reported in 2021, but only 1 in 20 vulnerabilities is ever exploited in the wild. Meanwhile, deploying a patch takes an average of between 60 and 120 days. In some cases, like patching a medical device or a business-critical legacy application, it can take years to get a patch deployed.
Although they may feel caught between a rock and a hard place, defenders cannot neglect vulnerability management. As demonstrated by the fact that vulnerability-focused threats, like 2017’s Eternal Blue exploit (still a significant threat to unpatched devices), never really go away, even forgotten vulnerabilities can catalyze major security events.
At the same time, known vulnerabilities are only part of the problem proactive security teams face. Zero-day threats are a growing danger for enterprises. Last year there were 80 zero-days reported. Although this is more than twice as many as were disclosed in 2020, this number is still probably just the tip of the zero-day iceberg.
Vulnerabilities can come from other directions, too. Things like leaked credentials or misconfigured servers put organizations at just as much risk. For example, over 60% of all security challenges in the cloud come about due to misconfigurations, where patch management is still a problem.
Precision Vulnerability Management
With so many obstacles and variables standing in the way of vulnerability management, the only sustainable response is to get better at prioritization. In practice, this means taking a risk-based approach. Guided by risk, vulnerability management is not a blunt tool but a laser-focused practice.
Under a risk-based approach, risk is the baseline for where teams look for and fix vulnerabilities. Teams following this method will build their vulnerability management strategy by looking at what applications are being used within their organization, how likely a particular system is to be attacked, and whether vulnerable or hard-to-patch assets can be siloed away from the network. Instead of working backward from vulnerabilities, a risk-based strategy preempts threats by zeroing in on the places where an organization is most exposed.
