Key Risk-Based VM Takeaways from the 2024 Verizon Data Breach Investigations Report

Security practitioners, leaders, reporters, and marketers rejoice — this year’s Verizon DBIR is finally here! Every year security leaders pour through this industry-standard report with bated breath, waiting to see how their security pains compare to others in the industry and to experience some temporary heart failure as they read the horrors of what others have experienced but they were lucky (or good) enough not to themselves.

While the report covers a myriad of different aspects of security, we at Avalor are particularly interested to see the findings that specifically relate to risk-based vulnerability management – and these observations were fascinating indeed.

Vulnerability exploitation in breaches is up 180%

We hear this pain point during our conversations with enterprises nearly every day (which is why we're talking in the first place — they need a new approach), so we weren’t surprised to read that vulnerability-related exploits are at an all-time high. The report characterizes “… the biggest pain point for everyone this year [is the] 180% increase in the exploitation of vulnerabilities as the critical path action to initiate a breach...”

The sad truth is that traditional vulnerability management tools and programs just aren’t keeping organizations protected today. Too many companies suffer from ineffective VM practices that create significant security gaps and result in far too many exploits.

Patching critical vulnerabilities still takes far too long

Nearly every company we talk to is struggling with a huge backlog of vulnerabilities to patch and is playing a game of “whac-a-mole” trying to catch the ones that matter before they can be exploited. The DBIR looked at CISA KEV vulnerabilities — the ones that are being actively exploited in the wild — and found that “it takes around 55 days to remediate 50% of those critical vulnerabilities once their patches are available." Nearly a quarter (20%) of them have remained unpatched or otherwise remediated after 6 months, and 8% after a full year.

The reality is that the to-do list of remediations to address is longer than most dev teams could ever hope to patch. That’s why it’s so important to build a smarter to-do list that considers compensating controls, focuses on actions that provide the biggest “bang for the buck,” and provides the remediation details dev or IT teams need to take action.

Critical vulns are addressed quicker than mediums or lows

The CISA KEV catalog does a great job at identifying vulns that have been exploited in the wild, and the industry has paid attention. The report finds that CISA KEV vulns are patched far quicker on average (5 days) than non-CISA KEV vulns (68 days). A similar study by Bitsight found that the median time to patch vulnerabilities listed in the KEV catalog was 3.5 times faster than non-KEV bugs.

While doing a better job of patching critical vulns seems like great news, it’s solving only part of the problem. According to Gartner® research, “Threat actors are generally aware of the deficiencies in patch management and lack of prioritization. In other words, if they know medium-severity vulnerabilities rarely get addressed, it presents a path of potentially least resistance. At its core, effective prioritization considers business context and the exploitability of your technology estate.”*

Furthermore, one organization’s medium vulnerability may in fact be critical to them, based on risk factors aside from the CVSS score. And the reverse can be true as well, where a CVE with a score that lands in the critical or high category may actually be reduced to medium risk based on mitigating controls Imagine if a CISA KEV critical vuln is on an asset that has endpoint detection enabled and in a dev environment; it doesn’t seem so “critical” anymore. On the other hand, a non-KEV vuln with a medium risk score that sits on an asset exposed to the internet, with no EDR protection, that includes PII data, and has a privileged user that regularly clicks on phishing links; now that medium seems a lot more worrisome.

User behavior still leads to the majority of breaches

Sadly, humans are still the weakest link. The DBIR found that “68% of breaches involved a human element, such as human error, having credentials stolen or an individual falling for a social engineering attack.”

While this is not shocking news — most of us have mistakenly clicked on something we quickly realized was a mistake — it is telling. Security teams spend millions of dollars on security training, phishing simulations, and identity and access management tools. However, very few of them factor the results of these tools into their vulnerability management program. It seems logical to increase the risk associated with a vulnerability if it's on an asset owned by someone with a history of clicking on phishing links, but historically, correlating such information with prioritizing vulnerabilities has been incredibly difficult to do. Stitching together the data from disparate security tools is difficult on its own, requiring wizard-level Excel tools. But even the most sophisticated of such pivot tables have always been limited in scope, thereby limiting the risk context and keeping reporting manual and out of date.

Unlock your organization's security potential with Avalor

If you’re ready to address some of the most eye-opening findings from the 2024 Verizon Data Breach Investigations Report, Avalor has you covered. Avalor empowers security leaders to transcend the limitations of traditional VM solutions and contextual risk leveraging any and all security findings, mitigating controls, and business insights you have.  By applying the power of our Data Fabric for Security™,  Avalor makes it easy to contextualize risk, share dynamic reports and dashboards, and automate remediation workflows. Contact us to schedule a demo of our Unified Vulnerability Management capabilities and discover how we can help you effectively improve your security risk posture.

---

*Gartner, The Top 5 Elements of Effective Vulnerability Management, By Jonathan Nunez, 9 January 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

‍