Vulnerability Intelligence Report
Read now
Read now
Vulnerability management is a challenge of scale and complexity. Predicting which of the ever-increasing number of vulnerabilities published daily are most likely to be exploited is becoming a necessity and doing so requires a data- and risk-centric approach to prioritization and remediation.
In this report, we provide an overview of trends in vulnerability disclosure and offer insights into the demographics and characteristics of vulnerabilities seen in enterprise environments in 2020. We present vulnerability prevalence in the wild, based on the number of affected enterprises, and highlight the vulnerability and remediation challenges facing security practitioners. We also compare common vulnerability ratings results with Tenable’s own Vulnerability Priority Rating to demonstrate the need for prioritizing those vulnerabilities that pose the greatest risk to the organization in light of threat intelligence and the characteristics of a given vulnerability.
Tenable has one of the most extensive vulnerability and intelligence data sets in the industry. The data in this report is derived from Tenable’s Exposure.ai data lake, one of the largest in the industry. It contains over 20 trillion aspects of threat, vulnerability and asset information. The data lake holds 250 billion instances of vulnerabilities, more than 50 billion different security configurations, and 20 million threat artifacts all drawn from the continuous assessment of billions of assets. The size and scope of the Exposure.ai data lake allows us to provide insight and analysis into a wide cross section of organizations worldwide on a completely anonymized basis.
For this study, we analyzed the live population of vulnerabilities in enterprise environments in 2020 and provided trends and lists of top vulnerabilities.
METHODOLOGY
Summary
Next: Key Takeaways
18,358 new vulnerabilities published in the National Vulnerability Database (NVD) in 2020 — an increase of more than six percent compared to 2019 and almost a threefold increase over four years ago (2016).
Over 56 percent of new Common Vulnerabilities and Exposures (CVEs) in 2020 have Common Vulnerability Scoring System (CVSS) v3 of 7.0 or higher (severity High or Critical)
5.2 percent have public exploits available.
High and Critical severity CVEs represented 56 percent of the new vulnerabilities published in 2020. With Tenable’s Vulnerability Priority Rating (VPR), which takes into account the threat landscape and exploitability status of vulnerabilities, this number is reduced to 6.2 percent.
On average, an enterprise finds 1,457 CVEs per day across 1,900 assets.
48,107 distinct vulnerabilities affecting 2,730 vendors were discovered in enterprise environments in 2020, representing close to 33 percent of all published CVEs on NVD since its inception (totalling 146,836 as of January 2021)
Tenable’s Security Response Team (SRT) has issued advisories and rapid response about X vulnerabilities in 2020.
730 public breach events were identified in 2020.
Continuous growth in new vulnerability disclosure:
Key Takeaways
The prioritization issue:
A challenge of scale and complexity:
Vulnerabilities in
the wild:
Previous: Summary
Next: Introduction
In the past three years, the National Vulnerability Database (NVD) has recorded, on average, more than 1,450 new vulnerabilities a month. As a result, security teams are stretched thin and cyber hygiene is undermined by the long list of vulnerabilities and systems requiring resources and attention.
The disclosure of vulnerabilities has continued to grow in volume and pace to reach 18,358 published vulnerabilities in 2020, showing more than a six percent increase over 2019, and an 11 percent increase over 2018.
Given the vulnerability overload, security teams will never realistically be able to mitigate every vulnerability that exists in an environment. In addition, our own research about persistent vulnerabilities, and assessment and remediation velocity [1], reveals that defenders still operate as though all vulnerabilities have the same likelihood of exploitation. Effective vulnerability management requires actionable intelligence and enhanced prioritization as current methods have largely shown themselves to be insufficient to reduce risk.
The intelligence deficit in vulnerability management has significant implications. Unpatched vulnerabilities are still the main source of most security breaches. For example, of the 560 organizations surveyed by Automox that said they suffered a breach in the past two years, nearly 60 percent cite as the culprit a missing patch for an operating system (OS) or an application [2].
As alarming as that statistic sounds, for most vulnerabilities a working exploit is never developed. Only a small number is actively weaponized and employed by threat actors. This should be taken into account in any prioritization strategy. Overall, the solution to the current prioritization crisis lies in data-driven mechanisms that operationalize intelligence from multiple sources: the threat landscape, the unique characteristics of vulnerabilities and the criticality of assets within different environments.
In this analysis, we present recent trends in vulnerability disclosure, provide an overview of the most prevalent vulnerabilities and offer insights into the vulnerability population in the wild. We discuss the challenges organizations face in prioritizing their vulnerability reponses. We cover some of the tools and resources needed to help defenders improve their cyber hygiene and drive effective remediation [3][4].
Introduction
Previous: Key Takeaways
Next: Vulnerability Disclosure Trends
Vulnerability Disclosure Trends
Figure 1 shows CVEs published during a given year. The figure also highlights the inherent delay between a vulnerability’s disclosure and its publication in NVD. In our view, the set CVE- would reflect more accurately the number of vulnerabilities organizations have to manage during a given year. It’s important to note that while most vulnerabilities are publicly disclosed in the year corresponding to their CVE ID, there might be a delay to the NVD publication date. For example, the advisory for CVE-2020-10655 was first published in May 2020, but the NVD publication date is in January 2021. We expect several other
CVE-2020 vulnerabilities will be published during 2021.
Home
Exploitability
CVSS Severity
The Prioritization Challenge
VPR Severity
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
Expand Chart
year
2010
2010
2011
2011
2012
2012
2013
2013
2014
2014
2015
2015
2016
2016
2017
2017
2018
2018
2019
2019
2020
2020
#published_on_nvd
Public_Exploit 1520
Unproven 3122
Public_Exploit 888
Unproven 3263
Public_Exploit 1032
Unproven 4257
Public_Exploit 714
Unproven 4476
Public_Exploit 1215
Unproven 6715
Public_Exploit 980
Unproven 5524
Public_Exploit 643
Unproven 5809
Public_Exploit 1685
Unproven 12966
Public_Exploit 1620
Unproven14894
Public_Exploit 1297
Unproven 16021
Public_Exploit 951
Unproven 17410
Approximately 5.2 percent of the CVEs published in 2020 had a publicly available exploit, compared with 7.5 percent in 2019 (see Figure 2). Over the past 10 years, on average, about 14.7 percent of yearly vulnerabilities had publicly available exploits, corresponding to more than 95 exploitable vulnerabilities disclosed every month.
Home
Exploitability
CVSS Severity
The Prioritization Challenge
VPR Severity
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
Expand Chart
year
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
total
4639
4150
5288
5187
7928
6494
6449
14645
16512
17306
18352
critical
1042
877
961
915
808
1146
1050
2150
2605
2644
2721
high
1055
899
769
829
1129
1240
2735
6570
7540
7239
7698
med
2264
2103
3047
2923
5329
3518
2441
5698
6200
7110
7484
low
278
261
511
520
662
590
223
227
167
312
421
The current version of CVSS, CVSSv3, was released in mid-2015. The most recent revision, CVSSv3.1, was released in mid-2019. CVSSv3 had several changes compared to CVSSv2, mainly relating to scope. When CVSSv3 is not available, the severity is based on the CVSSv2 base score.
As Figure 3 shows, while CVSS scores can be an important part of a vulnerability management program, the common practice of using CVSS scores as a prioritization mechanism can be misleading as these scores are typically meant to describe the characteristics of vulnerabilities. We consider CVSS scores to be only one of several components in a risk-based vulnerability management program, alongside threat intelligence and modeling.
Home
Exploitability
CVSS Severity
The Prioritization Challenge
VPR Severity
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
Expand Chart
Vulnerability Priority Rating (VPR) is the output of Tenable's Predictive Prioritization solution, which aims to help organizations improve their remediation processes by introducing the threat component into the vulnerability rating.
As Figure 4 shows, the threat component reflects both recent and potential future threat activity targeting a vulnerability. VPR is designed to facilitate the prioritization of vulnerabilities with a higher likelihood of being targeted by threat actors while reducing the severity of those deemed to be less prone to exploitation.
Home
Exploitability
CVSS Severity
The Prioritization Challenge
VPR Severity
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
Expand Chart
An effective vulnerability management program aims to reduce the risk of attacks on the system by not only identifying vulnerabilities in the organization, but also by prioritizing response and remediation according to the risk each vulnerability represents.
The sheer volume of vulnerabilities disclosed each year has made prioritizing based on CVSS severity increasingly ineffective and unrealistic. Over 56% of new CVEs published in 2020 received a High or Critical severity. Tenable's VPR does a better job than CVSS in reflecting exploitability and actual exploitation in the wild. When we apply VPR to the 2020 data, we see the portion of High and Critical severity CVEs drops to only 6.2%.
As shown in Figure 5, VPR's threat component monitors attacker actions and threat intelligence to give defenders a risk-based approach to prioritizing vulnerabilities. With the same severity bands as in CVSS, the distributions of severity are very different. VPR reflects the actual risk as per a number of key drivers, including threat and wider vulnerability metadata information, e.g. exploit maturity, evidence of exploitation in the past, the age of the vulnerability, impacted vendor, etc.
Expand Chart
Home
Exploitability
CVSS Severity
The Prioritization Challenge
VPR Severity
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
Previous: Introduction
Next: Prevalence
Prevalence
Figure 1 shows CVEs published during a given year. The figure also highlights the inherent delay between a vulnerability’s disclosure and its publication in NVD. In our view, the set CVE- would reflect more accurately the number of vulnerabilities organizations have to manage during a given year. It’s important to note that while most vulnerabilities are publicly disclosed in the year corresponding to their CVE ID, there might be a delay to the NVD publication date. For example, the advisory for CVE-2020-10655 was first published in May 2020, but the NVD publication date is in January 2021. We expect several other
CVE-2020 vulnerabilities will be published during 2021.
Home
Top Vulnerabilities
Top Exploitable Vulnerabilities
Client-Side
Vulnerabilities
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
3/3
2/3
Expand Chart
1/3
Home
Top Vulnerabilities
Top Exploitable Vulnerabilities
Client-Side
Vulnerabilities
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
View List
View List
year
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
total
4639
4150
5288
5187
7928
6494
6449
14645
16512
17306
18352
critical
1042
877
961
915
808
1146
1050
2150
2605
2644
2721
high
1055
899
769
829
1129
1240
2735
6570
7540
7239
7698
med
2264
2103
3047
2923
5329
3518
2441
5698
6200
7110
7484
low
278
261
511
520
662
590
223
227
167
312
421
Home
Top Vulnerabilities
Top Exploitable Vulnerabilities
Client-Side
Vulnerabilities
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
View List
View List
year
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
total
4639
4150
5288
5187
7928
6494
6449
14645
16512
17306
18352
critical
60
21
20
27
18
24
101
176
55
89
256
high
769
257
235
196
228
238
286
541
418
326
889
med
3010
2200
2714
2498
4507
3411
3165
7455
8106
8523
9748
low
800
1672
2319
2466
3175
2821
2897
6472
7933
8368
7459
Home
Exploitability
Top Exploitable Vulnerabilities
Client-Side
Vulnerabilities
Home
Home
Exploitability
CVSS Severity
VPR Severity
The Prioritization Challenge
View List
View List
Expand Chart
Previous: Vulnerability Disclosure Trends
Next: High Profile Vulnerabilities
In January 2021, Tenable’s Security Response Team (SRT) published a lookback on the 2020 threat landscape, with an emphasis on the top vulnerabilities and campaigns seen in the wild [5]. SRT analyzes and compiles vulnerability disclosure and breach events and issues alerts and blog posts detailing the disclosure of serious vulnerabilities as well as major breaches, campaigns, and reports of exploitation in the wild. Since its inception in 2018, the team has initiated a response to hundreds of high-profile incidents and helped numerous customers assess and limit the impact of vulnerability disclosure on their environments.
High-Profile Vulns
Previous: Prevalence
Next: Conclusion
Download Report
Download Report
With environments finding thousands of vulnerabilities on average per day across thousands of assets, and over 56 percent of vulnerabilities rated as High or Critical, vulnerability management continues to be a challenge for most organizations.
Security practitioners have to determine which vulnerabilities truly represent a risk to their systems, and prioritize, in order to maximize limited and stretched out remediation resources. However, when everything is urgent, nothing really is, and prioritization and triage fail.
The news is not all grim, however, our industry is upping its game to provide the tools needed to effectively prioritize vulnerabilities, based on exploitability and actual exploitation and real world impact of vulnerabilities, as well as contextual data about assets. VPR reduces the number of high and critical severity vulnerabilities from 56% to only 6.2% allowing defenders to focus on what matters most.
Conclusion
Previous: High-Profile Vulnerabilities
Start Over
[1] https://www.tenable.com/cyber-exposure/persistent-vulnerabilities
[2] https://www.darkreading.com/vulnerabilities---threats/missing-patches-
misconfiguration-top-technical-breach-causes/d/d-id/1337410
[3] https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss
[4] https://www.tenable.com/products/tenable-lumin
[5] https://www.tenable.com/cyber-exposure/2020-threat-landscape-
retrospective
[6] https://www.tenable.com/blog
[7] https://www.tenable.com/cyber-exposure/vulnerability-intelligence
[8] https://sweet32.info/
Previous: Conclusion
REFERENCES
Summary
KEY TAKEAWAYS
INTRODUCTION
Vulnerability Disclosure Trends
Prevalence
High-Profile Vulnerabilities
Conclusion
Expand Chart
Expand Chart
Expand Chart
