Prioritization to Prediction, Vol. 8

How can an organization most efficiently reduce its attack surface? This eighth volume takes a predictive turn, creating a simulation model to minimize exploitability subject to real-world remediation capacity constraints. We explore whether it is more effective to increase the number of patches deployed or to radically change the way vulnerabilities are prioritized in the first place.

The findings confirm that prioritization is more critical than capacity: a good strategy always outperforms a brute-force approach. Surprisingly, prioritizing vulnerabilities mentioned on Twitter offers a better signal-to-noise ratio for risk reduction than the Common Vulnerability Scoring System (CVSS). This report rewards the click by revealing that combining a high-fidelity strategy with high remediation capacity can achieve a massive 29-fold reduction in an organization’s exploitability.

The research also provides a sobering view of asset-level risk. Nearly 95% of active assets harbor at least one highly exploitable vulnerability, and over half have a near-certain chance of being targeted in the wild. By moving from random “whack-a-mole” remediation to an exploit-informed strategy, organizations can gain control over an attack surface that otherwise seems mathematically insurmountable.

Key Findings

• Ubiquitous Asset Exposure: Nearly all (95%) active enterprise assets contain at least one vulnerability with a 10% or higher chance of being exploited in the wild.
• The Twitter Signal: Prioritizing vulnerabilities based on the count of Twitter mentions is more effective at reducing overall exploitability than a strategy based on CVSS scores.
• The 11-to-1 Strategy Advantage: Prioritizing vulnerabilities with public exploit code available is 11 times more effective than using CVSS for minimizing an organization’s attack surface.
• The 15% Capacity Benchmark: The median organization remediates about 15% of its open vulnerabilities each month, up slightly from 10% in prior volumes.
• The Power of “Both”: Combining a strategy of prioritizing exploited vulnerabilities with high remediation capacity achieves a 29X improvement over random patching.
• Exploitability vs. Asset Count: An organization’s exploitability score does not correlate with its number of assets, proving that firms of all sizes can effectively manage their attack surface.