205 days. That's now the average time security teams take to remediate critical cybersecurity vulnerabilities — nearly seven full months. Although the number of vulnerabilities continues to climb at a staggering rate, with a recent report identifying 9,444 new vulnerabilities in the first half of 2021, the surprising reality is that most vulnerabilities companies face today aren’t new.
At this point, it's clear that hackers have overwhelmed all but the most forward-thinking cybersecurity professionals, creating exploits at a rate that has left enterprises and governments with significant backlogs of unaddressed risk. Network device vulnerabilities increased by nearly 20% year-over-year, in part due to the rise in VPN vulnerabilities, while operational technology (OT) vulnerabilities were up almost 50% compared with the first half of 2020.
Security leaders have every reason to feel behind the curve: A recent report noted that 14% of exploits are published before patches are available, and 80% of public exploits are published before CVE updates are released. While defenders are left drowning in alerts, hackers are successfully exploiting old vulnerabilities that were never patched, including some that are five years old. The older vulnerabilities are, the better the chance hackers will know how to find and exploit them. In addition, exploitable vulnerabilities layered into trusted software are yet another complication for already over-taxed vulnerability management programs, as seen in both the SolarWinds and Kaseya supply chain attacks.
In light of recent cyberattacks on critical U.S. infrastructure, including water treatment plants in Oldsmar, Florida, Colonial Pipeline's fuel supplies, and JBS's meat processing facilities, waiting six or seven months to close any vulnerability gap is not acceptable. Allowing five-year-old vulnerabilities to ripen into ransom attempts is even worse. These aren't just threats to our security — they're now compromising our health and way of life.
Model the attack surface
Successful OT attacks have opened our eyes to a new reality: Traditional scan-and-patch tactics are no longer enough to protect our water, energy, and food supplies, particularly when scans are delayed or forgotten because they require 'unacceptable' downtime. Consequently, the world must shift from the classic reactive cybersecurity paradigm to a proactive stance, including a new approach to managing the attack surface.
However, it isn’t as simple as changing an organization's mentality; concrete steps are required. A first step is visualizing the entire attack surface —
including the number and nature of its vulnerabilities —
to measure risk through the dual lens of exposure and exploitability. This data enables the identification of options to drastically reduce the attack surface. Triage time is minimized by prioritizing what's exploitable on critical assets and continuously deploying fixes.
Staying secure during an unprecedented period of cybersecurity talent shortages and vulnerability upticks requires even well-trained professionals to uplevel their programs now. Getting ahead of the attack curve means not only advancing beyond the traditional scan-and-patch tools that are too often too late. It also requires augmenting them with the early insights and remediation solutions teams need to make better security decisions faster.
Forest-scale strategic planning
Internally, organizations need to think bigger about cybersecurity, given that modern IT now spans on-premises, OT, cloud, and third-party networks. Instead of separate, siloed approaches, security must operate with a single view of compliance and operational security processes that align across the entire organization. Properly understood and coordinated, whole-estate networks can automate data collection and analysis across the board rather than myopically addressing small pieces of the network puzzle. The context gained is essential to informing remediation strategies, augmenting scan data, and enabling organizations to prioritize exposures posing the greatest threat.
Outdated cybersecurity playbooks focus on extinguishing fires, with too little opportunity to employ forest-scale strategic planning. By modeling the complete environment where vulnerabilities exist, teams can understand exposure to threat origins and meaningfully simulate attacks before they happen — notably without network downtime or disruptions. Analyzing exposure based on risk takes vulnerability prioritization from theoretical to real, revealing weaknesses that are most likely to be used in an attack.
Historically, cybersecurity was like whack-a-mole, challenging security teams to hit targets as they popped up — manageable until moles so outnumbered players that there was no way to win. Now we're facing multi-million-dollar ransoms and threats to public safety, so the stakes are high, and there's no room to lose. We can no longer afford to leave vulnerabilities unaddressed for five months or five years.