Over the years there has been lots of discussion and points of view surrounding security metrics and how to measure the effectiveness of a vulnerability management program. In fact, the Center for Security has even laid out a framework for security metrics developed by an expert panel in an effort to help organizations determine and validate security strategies.
In 2004 Qualys first began anonymously using the accumulated vulnerability scan data received from its customers to identify key, quantifiable attributes or metrics to help companies drive strategies for protecting networks, systems and data. These metrics have become known as the “Laws of Vulnerabilities” and are comprised of the following four key measures:
- Half-life: The time interval for reducing the occurrence of a vulnerability by half.
- Prevalence: Measure in the turnover rate of vulnerabilities in the Qualys “Top 10 Vulnerabilities” list during a year. The Qualys Top 10 list includes the top 10 external (Internet-facing) and top 10 internal vulnerabilities.
- Persistence: Total lifespan of vulnerabilities – basically how long until a vulnerability is entirely removed from a company’s systems or 100 percent remediated.
- Exploitation: Time interval between an exploit announcement and the first attack.
Over a decade later, these four key metrics continue to provide businesses and security executives with insights into how well they are managing enterprise risk and compare relative to their peers. I thought it would be interesting to see how companies stack up against the “Laws of Vulnerabilities.”
On average across all industries, it takes companies almost 30 days to remediate half of their systems for a given vulnerability. This means that even after 30 days, 50 percent of a company’s systems remain vulnerable to attack. This number is even more startling when compared with the significant decreases seen in the time it takes cyber criminals to launch their first attacks.
Prevalence is calculated as the percentage change in the number of vulnerabilities included in the Qualys Top 10 critical vulnerabilities list from month to month. As an example, a prevalence rate of 20 percent would mean that four vulnerabilities were substituted in the Top 10 vulnerabilities list and 100 percent would indicate that all of the Top 10 vulnerabilities were substituted. Historically, the prevalence rate averages 60 percent, meaning that 12 vulnerabilities are substituted from the Top 10 list in a given year.
While it is interesting to look at the new vulnerabilities and impacted applications added to the Top 10 list, I would argue that it is equally valuable to look at those applications that retain a constant presence on the list. The most commonly found applications on the Qualys Top 10 list include: Microsoft Office, Microsoft Internet Explorer, Java, Adobe Reader, and Adobe Flash.
Vulnerability scans and threat research show that these applications, on average, continue to contain critical vulnerabilities and are frequently targeted by attackers. Vulnerabilities for these applications are also commonly included in crime ware and exploit kits sold and traded in the cyber criminal underground.
Persistence is the measure of the longevity for a given vulnerability. This measure is a good indicator for determining how long a company is typically at risk for a given vulnerability. The unfortunate and sobering news for companies is that even critical vulnerabilities have an indefinite lifespan. On average, remediation efforts stabilize at 90-95% after one year, leaving 5-10% of impacted systems never patched and exposed to attack.
In contrast to the other laws, exploitation is a measure of how quickly attackers target and begin exploiting known vulnerabilities. And although the numbers for half-life, prevalence, and persistence have not noticeably changed since the “Laws of Vulnerabilities” were first published in 2004, the speed at which attackers can research a vulnerability, craft and publish an exploit, and begin targeting vulnerabilities has increased dramatically. Research data in 2004 showed 80 percent of critical vulnerabilities had an exploit available within 60 days following their release. In 2008 and 2009, this time decreased dramatically to just 10 days. As of today, attackers are commonly able to target a newly released vulnerability within 48 hours.
- Know how you and your company compare to the averages discussed above.
- For commonly targeted vulnerabilities, push to increase the speed at which your operations team remediates impacted systems (if you missed it, I suggest you read Bridging the Gap Between Security and Operations Teams).
- Hold teams accountable by measuring their performance against the half-life and persistence metrics and including these metrics within the HR performance review process.
- Automate your configuration and patch management processes.
- For systems that either can’t be patched or are difficult to patch (think mobile staff), implement secure configurations, consider sandboxing technology, or best yet, remove the impacted software if it’s not needed by the business.