By Brian Pereira
The number of vulnerabilities is increasing at an alarming rate, making it increasingly difficult for enterprises to identify the ones that will impact their business. According to the Vulnerability Intelligence Report 2018, from Tenable Research, 16,500 new vulnerabilities were published in 2018. As per the National Vulnerability Database (NVD), there were 15,038 new vulnerabilities recorded in 2017. Moreover, in 2016 the number was 9,837. So the number of vulnerabilities increased by 53 percent in a single year. Tenable Research also mentions that, on average, enterprises find 870 vulnerabilities per day across 960 IT assets.
With limited resources and the shortage of skills, enterprises cannot address this massive volume of vulnerabilities.
“Out of 100 vulnerabilities that I have in my… how do I identify those ten incidents, vulnerabilities, findings that I should be addressing right away?” asks Prateek Bhajanka, Principal Analyst, Gartner. “The prioritization of vulnerabilities to be addressed should be done on the basis of the risk; not on the basis of other factors, like what the management thinks, or the default suggestions in the solution/tool. We should be taking into account the risk posed to the organization. We should be spending more time on the activities that have a higher impact (on the business),” he said.
Speaking exclusively to CISO MAG, Robert Huber, CSO of Tenable said the attack surfaces are expanding so broadly, the ability to gain visibility into that attack surface is becoming difficult. He said automation is the only way to tackle the growing volume of vulnerabilities. Tenable is proposing a technology for this called predictive prioritization.
“We all know that you can’t patch everything–and if you patch everything it probably won’t work anymore! So I need to prioritize the vulnerabilities based on the severity of the threat and on what’s important to the business. Usually, from a revenue or loss perspective as well,” said Huber.
Huber has more than 20 years of information security experience across financial, defense, and critical infrastructure sectors. At Tenable, he oversees the company’s global security teams including physical, product and information–working cross-functionally to reduce risk to the organization and its customers. Huber is also an active member of the U.S. Air National Guard serving in a cyber-operations squadron.
“There were 16,000 vulnerabilities last year, and 59 percent are rated high and above. That’s still too many for somebody to feasible patch or address in their organization. If we apply predictive prioritization to the 59 percent, we reduce that down roughly 90 percent. So what’s left is a manageable amount of vulnerabilities that you could realistically address,” he said.
Read the complete interview with Robert Huber in the September issue of CISO MAG.