Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Mind the Gap: How Existing Vulnerability Frameworks Can Leave an Organization Exposed

Mind the Gap: How Existing Vulnerability Frameworks Can Leave an Organization Exposed

This is the second of a four-part series examining the period of time between when a vulnerability is first discovered and when it is fully disclosed on the National Vulnerability Database. In this installment, we explore how common industry frameworks leave security teams with blind spots — and discuss how Tenable can help.

Knowledge rests not upon truth alone, but upon error also.

—Carl Jung

Each year, cybersecurity teams around the world face an onslaught of new vulnerability disclosures affecting the software and systems in use in their organizations. In 2022 alone, more than 25,000 vulnerabilities were disclosed, nearly a 20% increase over the prior year.

The common frameworks organizations rely upon to evaluate vulnerabilities and prioritize which ones to fix first have become de facto standards. But they also leave security professionals with significant blind spots that serve to increase risk.

In this blog, we examine one of those blind spots: the gap in time between when a vulnerability is first discovered and when it is fully disclosed on the National Vulnerability Database (NVD). Of the 25,000+ vulnerabilities discovered last year, 295 were observed to be exploitable before they were fully disclosed on NVD.

Why is this a concern? Because busy cybersecurity professionals rely on those full NVD disclosures to make their remediation decisions. But attackers don’t wait. They’re ready to pounce as soon as a vulnerability is first discovered, leaving organizations with security gaps that can range from mere days to several months.

We believe these findings offer the valuable context that cybersecurity practitioners need to evolve their vulnerability management practices to embrace a risk-informed view of the expanding attack surface. This is the first step in the journey toward embracing a full exposure management program.

Glossary of terms

What does “ahead of NVD plugin coverage” mean?

“Ahead of NVD plugin coverage” means that Tenable products provided coverage before (or on the same day) a CVE was fully disclosed on NVD.

What does “ahead of NVD VPR coverage” mean?

“Ahead of NVD VPR coverage” means that Tenable products provided a Vulnerability Priority Rating (VPR) before (or on the same day) a CVE was fully disclosed on NVD.

Why are these classifications important?

Both plugin coverage and VPR are critical tools for security teams to practice preventive cybersecurity. The plugins made available in Tenable products prior to a vulnerability being fully disclosed on NVD provide security teams with the ability to mind the gap, while the VPR scoring system provides an alternate method cybersecurity teams can use to prioritize vulnerabilities for remediation. The generation of a VPR score is essential for vulnerabilities that have not yet been fully disclosed in NVD and for which CVSS scores are lacking.

What does it mean to security professionals?

Rapid response

By inspecting, disclosing and providing detection tools and guidance in a timely manner, Tenable Research enables security professionals to rapidly respond to the vulnerabilities that represent the greatest risk to their systems.

Comprehensive intelligence

Tenable Research maintains a continuously updated and context-rich data set of intelligence that feeds our products, enabling a best-in-class customer experience for security professionals.

Proactive risk identification and remediation

Tenable Research is constantly analyzing vulnerabilities to evaluate their risk to organizations as well as providing proactive remediation guidance, ensuring that security professionals have the tools they need to reduce risk on a proactive and continuous basis.

22 years of Tenable plugin coverage ahead of NVD

We analyzed historical data to show the full scope of the gap and how it affects common software in use at many organizations. Between Jan. 1, 2000, and Dec. 31, 2022, Tenable has provided plugin coverage ahead of NVD for 32,862 vulnerabilities, of which 531 had not yet been fully disclosed in NVD (as of Dec. 31, 2022).

To show the full scope of the coverage gap facing cybersecurity teams, we also analyzed 16 software vendors whose products are commonly used in many large organizations. Fig. 1 shows the number of CVEs per vendor for which Tenable provided plugin coverage either prior to or on the same day a vulnerability was fully disclosed on NVD during the period of Jan. 1, 2000 – Dec. 31, 2022. Among these vendors, we found there was an average delay of 117 days between when a vulnerability was first discovered and when it was fully disclosed on NVD.

Fig. 1

Vendor

Plugin coverage ahead of NVD

Total plugin coverage

% of plugins released ahead of NVD

Avg delay observed in days

Adobe

278

4,271

6.5%

21

Amazon

368

5,342

6.9%

161

Apple

1,047

5,842

17.9%

73

CentOS

392

5,972

6.6%

125

Cisco

104

2,477

4.2%

177

Debian

578

8,288

7%

85

Google

525

3,239

16.2%

35

IBM

259

1,603

16.2%

154

Microsoft

394

8,597

4.6%

18

Mozilla

76

2,593

2.9%

175

Oracle

1,439

13,575

10.6%

173

Red Hat

1,144

12,855

8.9%

124

Slackware

51

539

9.5%

298

Solarwinds

12

67

18%

69

Suse Linux

216

3,5611

6.1%

133

VMWare

49

535

9.1%

55

Reference period: January 1, 2000 - December 31, 2022

Source: Tenable Research, April 2023

In the reference time period (2000 - 2022), the top five vendors for which Tenable filled the biggest percentage of plugin coverage ahead of the vulnerabilities being fully disclosed on NVD are:

  1. Apple (17.4%)
  2. Google (16.3%)
  3. IBM (16.2%)
  4. Solarwinds (12.9%)
  5. Slackware (11.0%)

In 2022 we observed the following (cumulative) assets:

  • 15+ million running Apple software
  • 97+ million assets running Google software
  • 16+ million assets running IBM software
  • 500.000+ assets running Solarwinds software

About The Mind the Gap series

This four-part Mind the Gap blog series is a valuable resource for security professionals that provides an overview of the observed vulnerability landscape with a focus on vulnerabilities discovered by Tenable Research before detailed information appeared on the NVD. This series stems from the analysis of our own dataset, one of the most extensive and rich datasets in the industries. Through the years, we gathered a broad knowledge of the vulnerability landscape, enmeshed with Tenable Research-specific insights and reporting capabilities.

Other blogs in this series:

Learn More

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training