Annual Report Uncovers Major Gaps with Traditional Vulnerability Management Leading to Long Exposure Times and Increased Risk
Skybox Security Research Lab today released its annual 2024 Vulnerability and Threat Trends Report, revealing that last year alone, over 30,000 new vulnerabilities were published — a rate of a new vulnerability published every 17 minutes. The report highlights a critical gap in remediation efforts, with the average time to patch exceeding 100 days, contrasted against the finding that 75% of new vulnerabilities are exploited in 19 days or less. These findings underscore the urgent need for continuous exposure management and modern vulnerability mitigation strategies to safeguard against the growing risks of cyber attacks.
Focus Gap: Half of all 2023 vulnerabilities are classified as high or critical severity
2023 witnessed a surge in vulnerabilities, with the National Vulnerability Database (NVD) recording a 17% year-over-year increase. Since the inception of the NVD thirty years ago, 234,579 CVEs have been cataloged, yet half of those have been discovered in just the past five years. The pace at which vulnerabilities are being published is accelerating, with a new vulnerability emerging approximately every 17 minutes, an average of 600 new vulnerabilities a week, according to Skybox Research Lab.
Skybox Research Lab found that over half of all newly discovered vulnerabilities were classified as high or critical. This overwhelming influx creates a “focus gap” for security teams. The sheer volume of threats makes it difficult to prioritize effectively, potentially leaving critical risks overlooked and organizations exposed. The rise in vulnerabilities stems from several ongoing industry concerns, including:
- A rapidly expanding attack surface with more interconnected devices.
- Increasingly intricate software with hidden vulnerabilities in third-party components.
- The positive trend of more resources dedicated to uncovering vulnerabilities naturally leads to a higher number being identified.
“The past year marked a watershed moment in cybersecurity, with organizations worldwide confronting an unprecedented surge in both the volume and complexity of cyber threats,” said Mordecai Rosen, CEO at Skybox Security. “Patching remains a crucial defense, but its limitations are clear in today’s fast-paced threat landscape. Effective vulnerability management goes beyond patching. It involves continuous identification, risk-based prioritization, leveraging existing controls for timely mitigation, and ethical cybersecurity practices. This comprehensive approach empowers organizations to navigate the complexities of modern threats.”
Mean time to remediation (MTTR) remains inadequate
This report further exposes a critical cybersecurity challenge: a shrinking window for vulnerability patching. The mean time to exploit (MTTE) plummeted to just 44 days in 2023, with a concerning 25% of vulnerabilities exploited the same day and a staggering 75% within 19 days. This rapid exploitation timeline stands in stark contrast to the lengthy 95-155 days from the CVE publication to remediation. This rapid exploitation timeline and the long delay in identifying malicious activity necessitate swift and effective response mechanisms from organizations. There is a very short window for remediation of new vulnerabilities, which leaves cybercriminals ample time to compromise networks if not acted upon quickly.
The time has come to move beyond just patching
Traditional vulnerability scanning methods struggle to keep pace with today’s surge in vulnerabilities. The sheer volume overwhelms even the most diligent security teams, making spreadsheet-based tracking and patching cycles ineffective. This is why organizations are increasingly turning to modern vulnerability management solutions.
To combat shrinking remediation windows, a modern vulnerability management approach integrated within a continuous exposure management program becomes crucial. Companies can reduce their risk and slim down their mean time to remediation (MTTR) by adopting:
- Continuous Vulnerability Identification: leveraging automated techniques to discover new vulnerabilities across systems and networks constantly.
- Risk-Based Prioritization: Not all vulnerabilities are created equal. Effective vulnerability management prioritizes threats based on factors like exploitability, potential impact on critical systems or data, and the existence of patches. This ensures the security teams focus on the most critical issues first.
- Leveraging Existing Controls: Vulnerability management solutions can help identify how these controls can be used to mitigate the risks posed by specific vulnerabilities, even before a patch is available.
- Ethical and Legal Compliance: Cybersecurity goes beyond technical measures. Effective vulnerability management ensures adherence to relevant data privacy regulations and responsible testing.
Read the full 2024 Vulnerability and Threat Trends Report.
About Skybox
Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our Exposure Management Platform delivers complete visibility, analytics, and automation to quickly map, prioritize, and remediate vulnerabilities across your organization. The vendor-agnostic solution intelligently optimizes security policies, actions, and change processes across all corporate networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring enterprises remain protected. Learn more at skyboxsecurity.com.
View source version on businesswire.com: https://www.businesswire.com/news/home/20240626146201/en/