Vulnerability Intelligence Report | Tenable

Vulnerability management is a challenge of scale and complexity. Predicting which of the ever-increasing number of vulnerabilities published daily are most likely to be exploited is becoming a necessity and doing so requires a data- and risk-centric approach to prioritization and remediation. In this report, we provide an overview of trends in vulnerability disclosure and offer insights into the demographics and characteristics of vulnerabilities seen in enterprise environments in 2020. We present vulnerability prevalence in the wild, based on the number of affected enterprises, and highlight the vulnerability and remediation challenges facing security practitioners. We also compare common vulnerability ratings results with Tenable’s own Vulnerability Priority Rating to demonstrate the need for prioritizing those vulnerabilities that pose the greatest risk to the organization in light of threat intelligence and the characteristics of a given vulnerability.

METHODOLOGY

Tenable has one of the most extensive vulnerability and intelligence data sets in the industry. The data in this report is derived from Tenable’s Exposure.ai data lake, one of the largest in the industry. It contains over 20 trillion aspects of threat, vulnerability and asset information. The data lake holds 250 billion instances of vulnerabilities, more than 50 billion different security configurations, and 20 million threat artifacts all drawn from the continuous assessment of billions of assets. The size and scope of the Exposure.ai data lake allows us to provide insight and analysis into a wide cross section of organizations worldwide on a completely anonymized basis. For this study, we analyzed the live population of vulnerabilities in enterprise environments in 2020 and provided trends and lists of top vulnerabilities.

Vulnerability Disclosure Trends

Figure 1 shows CVEs published during a given year. The figure also highlights the inherent delay between a vulnerability’s disclosure and its publication in NVD. In our view, the set CVE-<year> would reflect more accurately the number of vulnerabilities organizations have to manage during a given year. It’s important to note that while most vulnerabilities are publicly disclosed in the year corresponding to their CVE ID, there might be a delay to the NVD publication date. For example, the advisory for CVE-2020-10655 was first published in May 2020, but the NVD publication date is in January 2021. We expect several other CVE-2020 vulnerabilities will be published during 2021.

Read more

https://www.tenable.com/cyber-exposure/vulnerability-intelligence