If you feel your job keeps getting harder, there’s hard evidence to support your perception: the volume and severity of cyberattacks continue to increase year after year. There was a 17 percent increase in the volume of cyberattacks and a nearly 27 percent increase in cyberattack severity year-over-year, according to new research from ServiceNow and Ponemon.
The findings, based on a recent survey of almost 3,000 security professionals in nine countries, identify clear gaps in vulnerability response as growing pain points for CIOs. Vulnerabilities lead to problems, from data breaches to service disruption. In fact, according to the study, respondents saw a 30 percent increase in downtime due to patching of vulnerabilities, downtime which ultimately hurts customers, employees, partners and brands.
Organizations can be more efficient in security vulnerability management
The reality is, most enterprises are unaware of vulnerabilities that could lead to a data breach. And when there is a patch for an open threat, too often IT teams cannot implement patches promptly because they are being bogged down by manual, time-intensive processes. Case in point: despite a 24 percent average increase in annual spending on prevention, detection and remediation in 2019, the survey shows that patching is still delayed by an average of 12 days due to data silos, poor organizational coordination and internal turf wars.
This is a major issue, especially since timely patching could have prevented many of the data breaches that occurred. Sixty percent of respondents say one or more of the breaches that they experienced could have been prevented because a patch was available, but not applied. And of these respondents, 62 percent were unaware that their organizations were vulnerable to a data breach. And these are the organizations that were able to tie the breach back to a root cause. How many more examples are there that go undiagnosed?
The patching process is under greater pressure
Prompt patching – or other mitigating action – is increasingly crucial. Fifty percent of survey respondents say the window of time between a vulnerability has been announced and they see attack activity has decreased in the past two years.
Security and IT teams aren’t unaware of this need; they face many systemic obstacles. Vulnerability patching is often delayed not only because of a severe lack of resources across IT and security teams but also because a common view of applications and assets at risk simply does not exist—it’s hard to know which systems are affected and make a compelling case to IT about the urgency to act. Prioritization challenges grew 7% year over year, the largest increase of any category. Even with prioritization based on asset criticality and risk, IT can be understandably reluctant to take critical applications and systems offline so they can be patched quickly.
In order to improve their security postures, organizations need to find ways to eliminate data and process silos, improve collaboration, and automate prioritization and response. This will enable teams to work seamlessly, confidently, and quickly to solve critical issues quickly and create processes that help them manage the ever-expanding list of vulnerabilities.
The race to outpace hackers continues as organizations struggle to keep up
The main issue, however, may lie in the disparity between the maturity of hackers and the lack of vulnerability response maturity within an organization. Much of this stems from automation. While 60 percent of survey respondents agreed that hackers are using machine learning and artificial intelligence to hack, more than 60 percent also say that IT security spends more time navigating manual processes than responding to vulnerabilities. This major problem leads to an overwhelming response backlog, putting organizations at a disadvantage when responding to vulnerabilities. Simply put, manual processes are slowing organizations down.
Automation delivers results
On the upside, organizations that are using automation are getting better at reducing risk. The study found that automation results in a significant payoff in terms of being able to respond quickly and effectively to vulnerabilities. Eighty percent of survey respondents who leverage automation say they respond to vulnerabilities in a shorter timeframe. Additional benefits, according to the research, include reduced downtime, patching in a timely manner, being able to prioritize the most critical vulnerabilities, and increasing the efficiency and effectiveness of the IT staff.
Yet, despite the benefits of automation in responding to vulnerabilities, less than half (46 percent) of respondents say they use this technology. Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations.
The Bottom Line
Many organizations have the motivation to address the vulnerability gap challenge, but struggle to effectively leverage their resources for more impactful vulnerability management.
While there’s no one-size-fits-all approach to vulnerability response, automation is a critical tool. Automating prioritization and response can directly improve the ability to reduce exposure and patch vulnerabilities in a timely manner, removing the potential to be bogged down by manual, time-intensive processes. Investing in automation is a key differentiator for organizations that have vulnerability management programs that are maturing vs. those that remain immature in effectiveness and response.
Automating routine processes and prioritizing vulnerabilities can help organizations avoid the “patching paradox,” where incremental staffing doesn’t equate to better security. Instead, they can focus their IT staff on critical—and more proactive—work that might further reduce the likelihood of a future breach.
We’ve seen attackers embrace automation in toolkits, botnets, and more. Now is the time for Security teams to adopt the same efficient approach.
About the author: Sean Convery is the General Manager for ServiceNow Security and Risk.