Tenable, the cyberexposure company, has released The Cyber Defender Strategies Report which uses data science against real-world telemetry data to analyse how 2,100 organisations are assessing their exposure to vulnerabilities, a critical component to improving overall cybersecurity posture.
The report shows that nearly 48% of organisations globally have embraced strategic vulnerability assessment – defined as mature or moderately mature programs that include targeted and tailored scanning and prioritising computing resources based on business criticality – as a foundational element of their cyberdefence and a critical step toward reducing risk.
Of those organisations, however, only 5% display the highest degree of maturity, with comprehensive asset coverage as a cornerstone of their programs. On the other end of the spectrum, 33% of organisations take a minimalistic approach to vulnerability assessments, doing the bare minimum as required by compliance mandates and increasing the risk of a business-impacting cyber-event.
Tenable’s last report, Quantifying the Attacker’s First-Mover Advantage revealed that attackers generally have a median seven-day window of opportunity to exploit a known vulnerability before defenders have even determined they are vulnerable. The resulting seven-day gap is directly related to how enterprises are conducting vulnerability assessments – the more strategic and mature the approach, the smaller the gap is likely to be and the lesser the risk to the business.
“In the not too distant future, there will be two types of organisations – those who rise to the challenge of reducing cyber-risk and those who fail to adapt to a constantly evolving and accelerating threat landscape in modern computing environments,” said Tom Parsons, Senior Director of Product Management, Tenable. “This research is a call to action for our industry to get serious about giving the advantage back to cyberdefenders, starting with the rigorous and disciplined assessment of vulnerabilities as the basis for mature vulnerability management and ultimately, cyberexposure.”
Tenable analysed telemetry data for over three months from organisations in more than 60 different countries using data science to identify distinct security maturity styles and strategic insights which can help organisations manage, measure and ultimately reduce cyber-risk. The objective was to analyse and ultimately help to improve how defenders are responding.
Key findings include:
There are four distinct strategies of vulnerability assessment:
- The ‘Minimalist’ executes bare minimum vulnerability assessments as required by compliance mandates. A total of 33% of organisations fall into this category, running limited assessments on only selected assets. This represents a lot of enterprises which are exposed to risk and still have some work to do, with critical decisions to make on which KPIs to improve first
- The ‘Surveyor’ conducts frequent broad-scope vulnerability assessments but with little authentication and customisation of scan templates. A total of 19% of organisations follow the surveying style, placing them at a low to medium maturity
- The ‘Investigator’ executes vulnerability assessments with a high maturity, but only assesses selective assets. A total of 43% follow the investigative style, indicating a solid strategy based on a good scan cadence, targeted scan templates, broad asset authentication and prioritisation. Considering the challenges involved in managing vulnerabilities, securing buy-in from management, cooperating with disparate business units such as IT operations, maintaining staff and skills and the complexities of scale, this is a great achievement and provides a solid foundation upon which to mature further
- The ‘Diligent’ represents the highest level of maturity, achieving near-continuous visibility into where an asset is secure or exposed and to what extent through high assessment frequency. Only 5% of organisations fall into this category, displaying comprehensive asset coverage, targeted, customised assessments and tailoring scans as required by use case
- Across all levels of maturity, organisations benefit from avoiding a scattershot approach to vulnerability assessment and instead making strategic decisions and employing more mature tactics such as frequent, authenticated scans to improve the efficacy of vulnerability assessment programs.