State of Vulnerability Management: Results of the 2019 SANS Survey

Bethesda, MD, April 1, 2019 – Organizations are doing many positive things when it comes to vulnerability management. But there is room for improvement, particularly with regard to collaboration of IT and security teams, according to results of the SANS 2019 Vulnerability Management Survey to be released by SANS Institute on a two-part webcast Tuesday, April 9, 2019, and Wednesday, April 10, 2019.

“Continuous scanning has been a very contentious issue,” according to SANS fellow instructor and survey advisor David Hoelzer. “Because it is a core component in vulnerability management, it is important that organizations scan frequently enough to ensure security without overwhelming analysts. Automation is key to that mission.”

Only 7% of respondents do not perform any vulnerability scanning within their organizations, with 81% performing some level of automated scanning. This year’s results reveal that 28% perform continuous scanning—an increase of more than 200% compared with the results from our 2015 (13%) and 2016 (11%) surveys—to reduce the time between scans, giving an organization a more accurate picture of their environment.

“Some of the biggest concerns reported with regard to vulnerability management arise when the appropriate teams are not involved or are unaware of technology deployments,” says SANS instructor, analyst and survey author Andrew Laman. “It has never been easier to bring new applications and services online without the appropriate oversight, potentially exposing organizations to unintended vulnerabilities and risks.”

Vulnerability management resided mostly within information security departments (48%), while the 82% of the respondents held IT responsible for mitigating and/or remediating the vulnerabilities. Effective communication and efficient sharing of vulnerability information is key to remediating vulnerabilities. Organizations share the information in various ways: 63% of the respondents used a ticketing system to share vulnerability scanner results, with 42% manually creating tickets. Integration with ticketing systems can help reduce the manual overhead of ticket creation, but should be balanced with the goal of effective communications. If automated ticket creation does not include key information—such as risk ratings or prioritization—organizations may not handle their remediation efforts with the correct level of urgency.

Laman concludes, “The separation of responsibilities is important, but cross-team communication is critical. Effective communication and efficient sharing of vulnerability information is key to remediating vulnerabilities.”

Full results will be shared during a two-part webcast at 1 PM EDT on Tuesday April 9 and Wednesday, April 10, sponsored by BalbixBromiumTenable and Veracode, and hosted by SANS. Register to attend the April 9 webcast focusing on the current state of vulnerability management at https://www.sans.org/webcasts/109075 and the April 10 webcast focusing on the vulnerability practices of tomorrow at https://www.sans.org/webcasts/109080

Those who register for the webcast will also receive access to the published results paper developed by SANS instructor and analyst and network security expert, Andrew Laman, with advice from SANS fellow instructor David Hoelzer.

Tweet This:

Explore current vulnerability management practices | Part 1 of the Vulnerability Survey Results | 4/9 @ 1PM ET | https://www.sans.org/webcasts/109075

Learn about risk-based vulnerability management | Part 2 of the Vulnerability Management Survey Results | 4/10 @ 1PM ET | https://www.sans.org/webcasts/109080

SANS 2019 Vulnerability Management Survey results presented @ 1PM | Register for Part 1: 4/9 https://www.sans.org/webcasts/109075| Part 2: 4/10 https://www.sans.org/webcasts/109080

SANS instructors Andrew Laman and David Hoelzer present 2019 Vulnerability Survey results. Register for 4/9 and 4/10 webcasts: https://www.sans.org/webcasts/109075 and https://www.sans.org/webcasts/109080