May 7, 2024 at 07:34AM
CISA’s Known Exploited Vulnerabilities (KEV) catalog, aimed at federal agencies, is also positively impacting private organizations, reducing average remediation time to under 175 days, compared to 621 for unlisted vulnerabilities. While both sectors often miss CISA deadlines, private organizations face longer patch times, with technology firms the fastest at 93 days. Furthermore, KEVs linked to ransomware are addressed faster, with critical vulnerabilities taking an average of over four months to resolve, indicating the need for improved security prioritization. Bitsight recommends organizations establish their own patching deadlines based on severity, with minimal timelines for critical vulnerabilities.
Based on the given meeting notes, the following key points and takeaways can be generated:
1. The CISA’s Known Exploited Vulnerabilities (KEV) catalog, originally for federal agencies, has shown positive impact on private organizations in reducing vulnerability remediation time.
2. Private organizations take an average of under 175 days to remediate vulnerabilities listed in the KEV catalog, compared to 621 days for vulnerabilities not in the catalog.
3. Federal civilian executive branches (FCEBs) are better at meeting CISA-imposed deadlines than private sector organizations, with about 56% more likelihood to meet them.
4. Technology companies are the fastest at remediating vulnerabilities, with an average of 93 days.
5. KEVs associated with ransomware activity are patched 2.5 times faster than those that aren’t, likely due to the potential financial cost of an attack.
6. The severity of vulnerabilities influences patch times, with critical KEVs taking an average of four and a half months to remediate, while medium-severity bugs are often overlooked and patched an average of nearly one and a half years later.
7. Bitsight recommends organizations to impose strict deadlines on patching vulnerabilities based on severity, ranging from seven days for critical bugs to 180 days for low-severity issues.
8. Zero-days vulnerabilities require emergency plans, with clear protocols for applying patches as a top priority and executive-level support for security teams to take action to secure the organization.
These takeaways emphasize the importance of prioritizing and promptly addressing vulnerabilities, especially those actively under attack, and highlight the need for swift action and deep insight to mitigate security risks.