Vulnerability management: Most orgs have a backlog of 100K vulnerabilities

The threat landscape never stands still. Almost every day there’s a new vulnerability emerging in some form or another. In fact, according to NIST, there were 18,378 vulnerabilities reported in 2021, and most organizations’ vulnerability management programs aren’t fit for purpose.

Each of these vulnerabilities presents a potential entry point for attackers to exploit and gain access to sensitive information. However, many organizations lack the internal expertise or resources to patch these vulnerabilities at the pace required to keep their environments secure. 

New research released by Rezilion and Ponemon Institute today found that 66% of security leaders report a vulnerability backlog of over 100,000 vulnerabilities. It also revealed that 54% say they were able to patch less than 50% of vulnerabilities in the backlog. 

Above all, the data indicates that the way most enterprises approach vulnerability management isn’t scalable or fit for purpose, and it’s providing cybercriminals with ample avenues to gain access to mission-critical data. 

Why vulnerability management is proving difficult 

The struggles of vulnerability management aren’t necessarily new. According to NTT Application Security, the average time to fix a vulnerability in 2021 was 202 days. Rezilion’s research also highlights that remediation is a problem, with 78% saying that high-risk vulnerabilities take longer than 3 weeks to patch. 

At the heart of this failure to mitigate vulnerabilities effectively, is the lack of necessary tools. 

“What it comes down to is a lack of tools, people and information to properly handle this challenge. Respondents to the survey say there are a number of reasons why this is taking so long, including the long amount of time it takes and the complexity of the task,” said CEO and cofounder of Rezilion, Liran Tancman. 

“Some of the factors they mentioned include an inability to prioritize what needs to be fixed, and a lack of effective tools and a lack of resources. The lack of resources is not surprising as the talent crunch in security is well documented,” Tancman said. 

Tancman also highlights that few organizations have the visibility or context necessary to determine what needs patching, which makes tackling a backlog overwhelming. 

Nowhere is this lack of visibility more clearly demonstrated than with many organizations’ failure to patch Log4j, with a report released earlier this year finding that 70% of firms who previously addressed the vulnerability in their attack surface are still struggling to patch Log4j-vulnerable assets and prevent new instances resurfacing.

Automation is the answer 

Fortunately, automation provides an effective answer to the challenge of vulnerability management by enabling security teams to automate the vulnerability scanning process and continuously identify exploits.  

This not only decreases the time taken to remediate vulnerabilities, but frees up the security team to focus on more-rewarding tasks. Rezilion’s research suggests that automation can be a significant force multiplier for security teams, with 43% saying there was a significantly shorter time to respond.

It’s worth noting that, for the best results, organizations should look to implement solutions that offer risk-based prioritization if they want to maximize the effectiveness of their vulnerability management program. 

“One of the biggest changes you can make is to focus on the vulnerabilities that are being exploited in the wild. That should be the No.1 goal and will drive down the most risk the fastest,” said Craig Lawson, VP Analyst at Gartner, in a blog post. 

Providers like Tenable, Balbix and Seemplicity are all experimenting with risk-based vulnerability management to help security teams focus on patching high-risk vulnerabilities first, based on current exploitation activity and exposure, so they don’t waste time on lower-value vulnerabilities.