Entering the Age of Enlightenment in Vulnerability Management
Vulnerability management is one of the oldest domains in the cybersecurity field. But anyone who’s worked in it knows that this old dog would benefit from learning some new tricks. And it could be argued there’s no area where that’s more true than prioritizing vulnerability remediation efforts to minimize risk to the organization. For some, that process boils down to little more than gut instinct. Others follow the prevailing wisdom, which is usually instantiated in scoring systems like CVSS. Approaches like the latter sound more scientific, but empirical data shows few perform any better than random chance. Clearly, we need a better way forward for making more rational remediation decisions.
For the last year and a half, we’ve analyzed a huge amount of data with the goal of finding that better way. We’ve examined over 100,000 published vulnerabilities, exploits developed against those vulnerabilities, and the remediation practices of hundreds of real organizations to understand the principles at work. We learned a ton of important, practical lessons from that research including insights on why only 1 in 3 firms manage to gain positive ground on remediating security vulnerabilities in their environment. We will share those key lessons in this presentation to support security leaders in guiding their vulnerability management programs into a new age of enlightenment and effectiveness.