Enterprises Must Triage More than 100 Critical Vulnerabilities a Day, According to Tenable Research

Today, Tenable has launched its Vulnerability Intelligence Report, which provides an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments. Tenable researchers have analysed vulnerability prevalence in the wild, based on the amount of impacted enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice, not just in theory. This study confirms that managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge but requires a risk-centric view to prioritise thousands of vulnerabilities that superficially all seem the same.

A few key findings from the report:

  • On average, an enterprise finds 870 vulnerabilities per day across 960 assets.
  • Almost two-thirds (61%) of the vulnerabilities that enterprises are finding in their environments have a high severity.
  • This means that prioritization based on CVSS ratings alone leaves enterprises with over 100 critical vulnerabilities per day to remediate.
  • But public exploits are available for just 7 percent of all vulnerabilities, making it critically important for security teams to find and remediate these flaws first.
  • Exploit kit developers are still actively targeting out-of-date software that remain forgotten on enterprise devices, leaving the devices and networks vulnerable to attack.
    • The top eight web browser CVEs impacted as much as 20-30 percent of enterprises on a single day.
  • Microsoft .Net and Office, Adobe Flash and Oracle’s Java have the most widespread impact in terms of affected enterprises and assets.
  • Out of the 20 application vulnerabilities impacting the most amount of enterprises, half are for Adobe Flash, followed by Microsoft Office at 20%.

A full release is below, and the full report can be downloaded for free here.