Not long ago we saw the WannaCry and Petya attacks wreak havoc around the world, as well as high-profile data breaches dominating headlines. It’s easy to get caught up in the news cycle, but they’re not the main threats security professionals should be focusing their attention on.
Vulnerabilities, and the exploitation of them, are still the root cause of most information security breaches today. Although not all breaches result from a vulnerability being exploited, most do. Within this majority, they also come from known vulnerabilities, rather than zero day attacks.
Zero day vulnerabilities made up only approximately 0.4% of vulnerabilities during the past decade. The amount spent on trying to detect them is out of kilter with the actual risks they pose. This is compared with the massive numbers of breaches and infections that come from a small number of known vulnerabilities that are being repeatedly exploited.
This is like worrying more about great white sharks than the humble mosquito – one consistently kills millions of people each year, while the other causes roughly the same amount of deaths as being struck by lightning.
Simply put, zero day attacks are not the biggest issue for most organizations. The top issue in vulnerability management is that organizations aren’t prioritizing their patching and compensating controls to align to vulnerabilities targeted by threat actors.
Organizations need to align their vulnerability management priorities with the biggest security threats. Although Gartner is seeing persistent and advanced threats, most threat actors don’t use overly sophisticated means to achieve their goals in most cases. Instead, they are leveraging known vulnerabilities more often than not to get the job done.
Deal with the elephant in the room first
Gartner believes that 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.
If you deal with the biggest cause of breaches and data loss first, then you’ll have a better foundation to work on more difficult issues. Don’t stop continually inching toward improvements with a vulnerability management program, but it’s more critical to reduce attack surfaces by closing the biggest risks, which are the known vulnerabilities being exploited in the wild.
The number of exploited vulnerabilities year over year for the last decade is actually flat, despite
the number of breaches increasing and the number of threats appearing. Essentially, more security threats are leveraging the same small set of vulnerabilities.
Focus on vulnerabilities exploited in the wild
As a top priority, focus your efforts on patching the vulnerabilities that are being exploited in the wild or have competent compensating control(s) that can. This is an effective approach to risk mitigation and prevention, yet very few organizations do this.
This prioritization reduces the number of vulnerabilities to deal with. This means you can put more effort into dealing with a smaller number of vulnerabilities for the greater benefit of your organization’s security posture.
Craig Lawson is a Research Vice President with Gartner, focusing on network security, firewalls, web application firewalls (WAF), IPS, IDS, SIEM, log management, vulnerability management, advanced persistent threats (APT), vulnerability research, threat intelligence, managed security service providers (MSSP), managed detection and response (MDR), cloud access security brokers (CASB) and cloud security