Half of organizations are relative teenagers in terms of maturity when it comes to their vulnerability-assessment practices, a key aspect of successful strategies to defend themselves quickly against cyber attacks, a recent report has found.
Nearly half, or 48 percent, of the organizations polled in the survey–The Cyber Defender Strategies Report, by security firm Tenable Inc.–said they use what’s called strategic vulnerability assessment to prioritize their cyber-security resources and efforts. However, only 5 percent of these organizations are taking a truly comprehensive approach.
At the other end of the spectrum, 52 percent of those polled said they exhibit only a moderate or low approach to assessing security risks, with 33 percent of organizations acknowledging that they do only the bare minimum as mandated by compliance rules to assess security risks. This boosts the threat-vulnerability level of these organizations, according to the report.
“Organizations are nearly evenly split between those that have embraced mature vulnerability assessment strategies as foundational to their cyber defense programs, and those that continue to execute tactical scans, often doing the bare minimum to meet compliance requirements,” Tom Parsons, Tenable’s head of research, told Security Ledger.
Tenable offers a platform to expose an organization’s cyber assets to help them, among other thigns, determine which are vulnerable to cyber attack. Researchers there said they were interested to find out the state of affairs when it comes to strategic vulnerability assessment after investigating and publishing a previous report, “Quantifying the Attackers First-Mover Advantage.”
In that report, they revealed the discovery that it takes a hacker a median of five days to gain access to a functioning exploit, while organizations trying to defend themselves takes an average of 12 days to assess for a vulnerability.
This difference means attackers have a seven-day window of opportunity to strike, during which time an organization isn’t even aware they’re vulnerable, according to researchers.
Varying degrees of maturity
For the latest report published this week along with an accompanying blog post, Tenable Research analyzed telemetry data for more than three months from organizations in more than 60 different countries. They used data science to identify security maturity styles and insights that can help organizations manage, measure and ultimately reduce cyber risk.
The report ranks what it defines as the “maturity” level of vulnerability-assessment programs into four categories–minimalist, surveoyor, investigator and diligent–and described the particular style of each.
The minimalist, as mentioned before, is just that–an organization that does the least it has to do to assess vulnerabilities. These are the least mature in terms of the report’s criteria–veritable infants of vulnerability assessment, according to researchers.
The surveyor is a bit more vigilante, conducting frequent, broad-scope vulnerability assessments. However, these organizations–as 19 percent of respondents were categorized–do more specific assessment work, placing them at a low-to-medium maturity, according to the report.
“Organizations at the lower maturity levels should consider tailoring assessments for specific asset types and, most importantly, expand authentication coverage to gain a holistic view of their security posture,” Parsons said.
The more mature organizations in terms of strategic-risk assessment are faring better when it comes to having more solidified strategies in place, according to the report. Those deemed “investigators” execute vulnerability assessments with a high maturity; however, they remain selective in which assets they examine in their work, prioritizing the most important. Forty-three percent of organizations in the survey fall into this category, according to the report.
Then there are the organizations referred to as “diligent” because they achieve “near-continuous visibility into where an asset is secure or exposed and to what extent through high assessment frequency,” according to the report. These organizations boast comprehensive asset coverage, targeted, customized assessments, and tailoring scans as required by use case, researchers said.
Parsons gave these organizations a verbal pat on the back for overcoming internal hurdles to facilitating and completing vulnerability assessments. “When we consider the challenges involved in managing vulnerabilities, getting buy-in from management, cooperating with disparate business units such as IT operations, maintaining staff and skills, and the complexities of scale, it is promising to see that nearly half of organizations are conducting vulnerability assessments at a medium or high maturity,” he told us.
Improvements for the future
Still, even if companies have very mature vulnerability-assessment programs in place, they can still do more, Parsons said. “The ultimate objective–regardless of which style most closely aligns to your own practices — is to always keep evolving toward a higher level of maturity,” he said.
And lest companies think it’s impossible to improve or enact these types of programs at all within an enterprise, Parsons had an encouraging yet sharp message for companies lagging behind on their preparedness for cyber attack.
“If your organization seems to be leaning toward the lower-maturity styles, don’t panic,” he said. “There is nothing wrong with being at a low maturity. What is wrong is choosing to remain there.”
Parsons advised companies without solid programs in place to work on precedent from companies with more mature vulnerability-assessment practices and stick with what already works then to try to re-invent the wheel.
“Rather than having your organization serve as a testing bed for untried, novel and immature solutions, you’ll benefit from the availability of tried-and-tested offerings,” he said.
Some practices these organizations can enact to improve their maturity level are to reduce the number of days between regular assessments; extend asset coverage; begin or expand usage of authenticated scanning; and leverage distributed scanning, Parsons suggested.
Companies already in middle age and beyond in terms of their program maturity can still do better, too, he said. Parsons advised that they expand specific technologies such as authenticated scanning, as well as include non-traditional technologies in the scope of their vulnerability management programs, such as Web, cloud, virtual and mobile assets.