Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

What Is the Lifespan of a Vulnerability?

In the second of our three-part series on persistent vulnerabilities, Tenable Research examines survival data to assess how effectively traditional remediation tactics are combating the attacker's advantage. 

Last week, we unveiled a new report from Tenable Research which explores the issue of common persistent vulnerabilities. As security teams wrestle with the vulnerability overload problem, this research seeks answers to the following questions:

  1. Do the characteristics of vulnerabilities affect their persistence? Or, is persistence merely related to the remediation process and its pace? 
  2. Are there vulnerability remediation differences between organizations? And, are there differences within each organization?

Part 1 of our blog series detailed the motivation and methodology behind this research, as well as key findings around prioritization. In part 2, we analyze the data trends underlying vulnerability lifespans and the factors that determine the rates and effectiveness of traditional remediation efforts.

Most vulnerabilities are remediated within a year – the rest live on

We can examine persistence through multiple lenses. Let’s start by considering the overall lifespan of a vulnerability in an environment, from the first assessment to the last remediation. 

Figure 1 tracks change over time for all vulnerabilities that have been remediated at least once within an environment. We did not include instances of vulnerabilities that were never remediated, as these open vulnerabilities can skew the overall results. This survival data is based on the lifespan of a vulnerability within a given organization, not across the global population.

Figure 1. Vulnerability lifespan analysis – a per-organization view

Figure 1. Vulnerability lifespan analysis – a per-organization view

We see that 73 percent of vulnerabilities are still extant within 30 days of the first assessment. After 120 days, close to 54 percent remain unremediated. Beyond that, 32 percent of those vulnerabilities still lurk after a year, and about 26 percent are never driven to zero. The vast majority of vulnerabilities over a year old are never dealt with. In fact, if a vulnerability gets past a year of its first assessment, it has less than a 20 percent chance of being remediated. The median lifespan of a vulnerability is 110 days.

As vulnerabilities age, the remediation pace slows. This may indicate a tradeoff with coverage (in favor of additional, newer vulnerabilities) or the presence of persistent vulnerabilities. The 32 percent of vulnerabilities that were not remediated after a year are still present in 90 percent of environments. This means only 10 percent of organizations have managed to address all their open vulnerabilities within a year of first assessment.

The above trend is not only related to remediation, but also a consequence of the time to assess. The median time to assess all instances of a given vulnerability across a single organization is 29 days, while the median time to remediate all those instances (in cases driven to zero) is 40 days. 

Exploitable vulnerabilities are widespread in early months, despite higher risk

These timelines show there are differences within each organization that contribute to the overall remediation challenge and the large percentage of unremediated vulnerabilities over time. In a previous study, we measured the difference in days between when an exploit for a vulnerability becomes publicly available (i.e. “Time to Exploit Availability”) and when that vulnerability is first assessed within an environment. The results showed a negative median of 7.3 days, indicating the attacker’s advantage. The additional intra-organization timelines presented here further increase that advantage.

As shown in Figure 2, the lifespan trend for exploitable vulnerabilities is almost the same as the trend for all vulnerabilities. In the first few months, exploitable vulnerabilities are even slightly more persistent than the overall population:

  • After 30 days, 76 percent are still unpatched (vs 73 percent of non-exploitable vulnerabilities) 
  • After 90 days, the delta narrows to 55 percent (vs 54 percent)

However, beyond this point, the rate drops more quickly and reaches 27 percent after a year. Roughly 18 percent of exploitable vulnerabilities are never driven to zero. 

Figure 2. Exploitable vulnerability lifespan analysis – a per-organization view

Figure 2. Exploitable vulnerability lifespan analysis – a per-organization view

This data suggests that defenders are still operating under the classic assumption that attackers can exploit any vulnerability. Under traditional remediation tactics, higher-risk threats are not resolved any faster than other vulnerabilities. Because exploit code for most exploitable vulnerabilities is used within a few months of publication, additional threat intelligence and risk-based prioritization is necessary to correct this trend.

On the other hand, we’ve also looked at the difference between vulnerabilities unremediated for over a year and those remediated within the year. Among the roughly 400 vulnerabilities that haven’t been remediated at least once within the year, only a dozen are exploitable (see Figure 3). These persistent, high-risk vulnerabilities have a very low prevalence, found in at most four organizations (out of more than 2,600). These are extreme cases of localized persistence. 

Figure 3 includes three classes of exploit maturity:

  • Proof-of-concept (PoC): Code is available on public websites and repositories (e.g., GitHub, Exploit-DB, Packet Storm)
  • Functional: Exploit is ready to use within penetration testing and red-teaming frameworks (e.g., Canvas, Metasploit, Cobalt Strike)
  • High: In-the-wild exploitation has been confirmed and attributed by antivirus vendors or other leading threat detection and intelligence solutions (e.g., ReversingLabs)

Figure 3. Exploitable vulnerabilities left unpatched for more than a year

Figure 3. Exploitable vulnerabilities left unpatched for more than a year

After the one-year mark, the number of high-risk threats shrinks even further. A reverse lookup, across the entire population of organizations, into the exploitable vulnerabilities unpatched for over a year, reduces the set to only one vulnerability (CVE-2018-0492) in one organization. This confirms the localized aspect of these cases of persistence. It also shows that almost no exploitable vulnerabilities go unremediated for an extended period of time across the global population. We get a hint of an answer here to question one, suggesting that vulnerability characteristics would not play a role for these cases of localized persistence.

In the third and final part of this series, we’ll explore the persistence of exploitable vulnerabilities from a global, rather than a localized, perspective. We’ll analyze how vulnerabilities persist across all global assets, not just within a given organization. We’ll also look at the economic aspect of persistence and prevalence and ask, “To what degree must a vulnerability exist across the global user and asset population to make it a viable and attractive target for attackers?”

To learn more about our original research into common persistent vulnerabilities, you can download the full report today.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.