New findings evaluate how organisations are managing vulnerability risks
Tripwire, Inc., a leading global provider of security and compliance solutions for enterprises and industrial organisations, today announced the release of a new report on vulnerability management trends. The survey, conducted by Dimensional Research in May 2019, included responses from 340 infosecurity professionals.
Tripwire evaluated how organisations are managing vulnerability risks and found that more than one in four (27 percent) globally have been breached as a result of unpatched vulnerabilities, with an even higher rate in Europe (34 percent). Vulnerability management starts with visibility of the attack surface, and Tripwire’s report found that 59 percent of global organisations are able to detect new hardware and software on their networks within minutes or hours. However, this is a difficult manual effort for many; almost half (47 percent) report that less than half of their assets are discovered automatically, including 13 percent who don’t even use automatic discovery solutions.
“Finding vulnerabilities is just a part of an effective vulnerability management program,” said Tim Erlin, vice president of product management and strategy at Tripwire. “It’s important for organisations to focus on building a program instead of deploying a tool. Vulnerability management has to include asset discovery, prioritisation, and remediation workflows in order to be effective at reducing risk.”
In assessing the attack surface for vulnerabilities, 88 percent of infosecurity professionals said they run vulnerability scans, but the research found that organisations address vulnerabilities with varying degrees of effectiveness. Compared with a past report, the use of authenticated scans has improved, with 63 percent saying they conduct authenticated scans as part of their vulnerability assessment. Despite this progress, more than one-third (39 percent) are still not scanning weekly – or more often – as recommended by industry standards.
Erlin added: “How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk. If you are not doing authenticated vulnerability scans, or not using an agent, then you are only giving yourself a partial picture of the vulnerability risk in your environment. And if you’re not scanning for vulnerabilities frequently enough, you’re missing new vulnerabilities that have been discovered, and you may miss assets that tend to go on and off the network, like traveling laptops.”
The ability to reduce vulnerability risks varies among organisations. According to Tripwire’s report, 16 percent of U.S. organisations said they only conduct vulnerability scans to meet compliance or other requirements. This rate was higher for European organisations, at 21 percent.
“Meeting a regulation or compliance requirement does not necessarily mean you’ve effectively managed your security risk,” Erlin concluded. “Compliance requirements are most often about protecting someone other than your organisation. That might be the consumer or credit card companies or another entity. Securing your business requires that you define an acceptable level of risk and manage to that target.”
Fifty percent of infosecurity professionals said they conduct vulnerability scans to reduce risk, but only have the bandwidth to focus on high-severity vulnerabilities. Nearly all respondents indicated that constraints like people and processes (78 percent) and budget (65 percent prevent them from addressing all of the vulnerabilities they want to tackle.
To ease constraints for organisations with limited in-house cybersecurity resources, Tripwire recently launched vulnerability management as a service with an expansion of Tripwire® ExpertOps. The company has also added additional service tiers for Tripwire ExpertOps VM, offering more extensive analysis and personalised consulting.
Tripwire is also announcing enhancements to Tripwire IP360™, its enterprise-class vulnerability management solution. Tripwire IP360 version 9.1.0 will feature a new integrated user interface, improved offline agent data collection, enhanced security features, improvements to support robust configuration, and new capabilities for assessing data at rest.