This year marks the release of the first 2022 Vulnerability Management Report from Fortra. The report, which was conducted in September 2022, is based on a comprehensive survey of over 390 cybersecurity professionals with the goal of gaining insights into the latest trends, key challenges, and vulnerability management solution preferences.
According to the report, cybersecurity teams require readily available, effective vulnerability management solutions that help scale cybersecurity capabilities to protect the business without adding more staff. Beyond vulnerability scanning, this includes layered security solutions that work together to improve team efficiency and security effectiveness.
Many key challenges associated with IT infrastructure were identified by participants. Lack of security maturity, staffing for vulnerability management, budget constraints, deploying patches, and a variety of other issues are all part of it.
The term "security maturity" relates to a current security position concerning its risk environment and tolerance levels. The risk scenarios will differ significantly depending on the organizational context, as each company has its own security risk register. Organizations are finding it increasingly difficult to identify, prioritize, remediate, or mitigate software and system vulnerabilities in a rapidly changing threat environment. The ongoing shortage of skilled cybersecurity professionals exacerbates this problem.
In this frame of reference, cybersecurity teams require easy-to-use vulnerability management solutions that enable them to scale security efforts to defend the business without adding more personnel. Beyond vulnerability scanning, this includes layered security solutions that work together to enhance team efficiency and security effectiveness.
When it comes to the vulnerability management program, the majority of companies do have such a program in place. According to the survey, a sizable majority of organizations (71%) have an in-house formal vulnerability management program. Few organizations (12%) have only informal, ad hoc programs, 8% have third-party managed programs, and 9% have no program at all.
However, when asked about the effectiveness of their vulnerability management programs, nearly a third of organizations believe they are effective. A small majority of people (62%) believe that vulnerability management is only marginally effective.
Even though 71% of organizations have a formal vulnerability management program in place, when the maturity and effectiveness of those programs were evaluated, 66% of organizations achieved a maturity level of 3 or higher. This level is distinguished by risk analysis and prioritization in the IT environment. There are five levels:
- LEVEL 0 – No vulnerability management program.
- LEVEL 1 – Scanning: without analysis or remediation guidance.
- LEVEL 2 – Assessment and compliance: structured strategy with regular assessments against compliance and best practices. Established processes.
- LEVEL 3 – Analysis and prioritization: analysis beyond CVSS ranking; prioritization of threats is determined by the risk specific to the individual IT environment.
- LEVEL 4 - Attack management: uses scan testing data to identify how a threat attack could move through the system.
- LEVEL 5 – Business risk management: a fully developed management program that takes the entire environment into account, analyzing data from vulnerability scans and pen tests, examining metrics to identify trends, and using enhanced processes and remediation techniques.
Apart from this, when it comes to vulnerability management capabilities, the survey found that vulnerability assessment (70%) rose to the top of the list. Following that are asset discovery (66%), vulnerability scanning (63%), and risk management features (61%).
It's difficult to read any news publication without coming across a reference to yet another data breach. With each story, we discover the widespread destruction caused by the breach to the community and the business. Because of the constant onslaught of cyber-attacks, vulnerability management has become an inescapable requirement for any company.
However, according to the survey, budget constraints lead the list among the most major obstacles to stronger vulnerability management (60%), accompanied by the longstanding skills shortage (45%) and inefficient vulnerability control procedures (36%.) Lack of executive support (21%) and technological gaps (29%) play a minor role as barriers.
After identifying the vulnerabilities associated with the IoT devices connected to its network, the organization can start implementing a security framework. IoT security is primarily the effective control of IoT devices on a network infrastructure.
However, according to the survey, IoT and OT devices need better vulnerability management. IoT and OT devices top the list at 65%, reflecting the security neglect these devices encounter in most IT environments. Following this are cloud assets (44%), and endpoints (41%).
Before delving into vulnerability management, there is a critical first step that every organization must take: identifying the areas of their organization’s infrastructure that need better vulnerability management.
The lack of a speedy patch management process is a significant concern that many companies face. Timely patching is critical to maintaining a strong security posture. How quickly do businesses deploy security patches to address vulnerabilities? According to the survey, only 29% of organizations deploy within three days of availability. Twenty-two percent deploy patches within a week of their availability, while 35% take between one week and a month. At the lowest end of the scale, 6% of organizations apply patches within 3 months, and a breathtaking 3% of organizations take a year or more to apply patches.
The first step in addressing vulnerabilities is to become aware of them. But, when asked about their vulnerability visibility, the survey discovered that less than half of cybersecurity professionals claim to have high (35%) or complete visibility (11%). At best, more than half of organizations (51%) have only moderate visibility into their vulnerabilities.
When asked to rate the spending triggers for purchasing vulnerability management solutions, the survey found that the first reason chosen by 68% of the organizations were motivated as a preventative security measure. Compliance (42%), and audit findings (37%) were the next purchasing drivers.
When asked about the volume of security vulnerabilities, the survey found that over the last year, 76% of organizations have seen an increase in vulnerabilities. In more than a third of organizations (38%), vulnerabilities increased by up to 25%, accompanied by 24% who had seen vulnerabilities increase by 26% to 50%.
While 76% of organizations experienced an increase in vulnerabilities in the previous year, only about a third (30%) expect an increase in vulnerability management staffing. The report further states that a slightly higher percentage of organizations (44%) expect an increase in their investment in vulnerability management solutions while 37% don't anticipate any expenditure change. Despite this expected increase, less than a third of organizations (30%) expect a significant uptick in staffing, probably reflecting the continued skills shortage confronting cybersecurity teams. Expenditures for vulnerability testing are expected to increase for possibly a bit more than a third of organizations (36%).
The 2022 Vulnerability Management Report highlights that lack of security maturity, staffing for vulnerability management, budget constraints, deploying patches, and a variety of other issues are all key challenges. Vulnerability assessment tops the list of vulnerability management capabilities, followed by asset discovery and risk management features. IoT and OT devices are the most problematic assets, reflecting the security neglect these devices encounter in most IT environments. Budget constraints are the most serious impediment to stronger vulnerability management.
This all points to the need for organizations to pay stricter attention to what is going with their security posture, and incident readiness. Cybersecurity teams require easy-to-use vulnerability management solutions that enable them to scale security efforts without adding more personnel. Is the lack of security visibility directly correlated to budget, or are there other contributing factors? One could easily make the inference that the C-Level may still be too far removed from the rank and file, further placing companies at considerable risk.
About the Author:
Prasanna Peshkar is a cybersecurity researcher, educator, and cybersecurity technical content writer. He is interested in performing audits by assessing web application threats, and vulnerabilities. He is interested in new attack methodologies, tools and frameworks. He also spends time looking for new vulnerabilities, and understanding emerging cybersecurity threats in blockchain technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.