Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Choosing Which Vulnerabilities to Patch

Trevor Daughney | August 28, 2023

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

A lot has been written about how security teams struggle to prioritize and patch common vulnerabilities and exposures (CVEs). With limited resources, vulnerability management teams must choose to remediate some CVEs over others – at their peril. 

In the Blue Report 2023, our analysis of 14 million attack simulations found that organizations are making four “impossible” tradeoffs when it comes to managing their threat exposure. One trade-off is choosing which vulnerabilities to patch.

The Blue Report 2023 identified a list of vulnerabilities – including high severity vulnerabilities and vulnerabilities over 3 years old – for which over 80% of organizations remain exposed.

Spotlight on Vulnerabilities

Software vulnerabilities, often referred to as common vulnerabilities and exposures (CVEs), are frequently targeted by attackers. And for good reason. 

For example, we identified the ten least prevented vulnerability exploits as part of the analysis of attack simulations done for this report. Organizations are only able to prevent them 11-16% of the time. Moreover, organizations are clearly not very effective at prioritizing vulnerability patching. Many of these vulnerabilities are either high severity or remain exposed despite having been known for years.

 

The 10 least prevented vulnerability exploits
The 10 least prevented vulnerability exploits

Several of the vulnerabilities in this list have drawn substantial media attention due to their high severity and widespread impact, including CVE-2021-30588 (affecting Chrome's JavaScript Engine), CVE-2021-33564 (affecting Linux distributions), and CVE-2021-22885 (impacting Ruby on Rails). Their continued exploitability underscores the ongoing need for vulnerability managers to prioritize patching them.

The presence of CVE-2019-9947 and CVE-2019-14234, both now 4 years old, highlights the fact that vulnerabilities can pose long-term security risks. Timely identification and remediation of vulnerabilities is essential, even in older systems.

Another finding is that these vulnerabilities affect a broad array of systems – from web browsers to operating systems. Organizations’ vulnerability management programs should span their entire IT ecosystem, but they are clearly having to make trade-offs about what to protect. With that in mind, organizations may need to go beyond vulnerability management to reduce their threat exposure.

Overcoming the Trade-Off

What are security teams to do? Threat exposure management, sometimes referred to as continuous threat exposure management (CTEM), is one approach to cybersecurity that organizations can use to overcome this trade-off. Implementing a continuous threat exposure management (CTEM) program can allow you to effectively prioritize potential risks and corresponding remediation efforts.

Picus Security’s CTEM solution helps you discover and prioritize these at-risk assets, among other exposures like high-risk attack paths, that attackers could use to access critical systems and users. 

With Picus, you can quickly mature your security posture and move beyond basic vulnerability management. Instead of spending your days making impossible trade-offs that leave gaps in your defenses, you can consistently and successfully defend against sophisticated multi-pronged attacks. On average, our customers prevent twice as many attacks, within just three months.

Picus customers prevent twice as many attacks, within just 3 months

Picus customers prevent twice as many attacks, within just 3 months

To learn more about other trade-offs organizations face managing their threat exposure, download the Blue Report 2023, or read our other blogs in this series.