According to data from Statista, the amount of vulnerabilities recorded in 2023 hit a record number with 29,000 new vulnerabilities reported. This is a 16% increase since 2022 and a doubling since 2017. In the first week of 2024 there were 612 vulnerabilities reported.
This sheer volume of vulnerabilities being released, coupled with the growing costs of cybercrime, is stressing existing operations teams in keeping up with the volume. Doing everything was never possible, and now it's not even aspirational. Prioritizing time to make the greatest impact is critical in maintaining a strong security posture.
Telling teams to remediate vulnerabilities is like telling firefighters to put out forest fires in the southwest during summer. There are always fires; you will never get them all put out. Given budgetary and real-world resource constraints, what is the stack ranked importance of different priorities in which to invest resources for the maximum impact? This is critical as keeping up with this has become a full-time job as financial services seek to remain compliant and secure. It is not practical or possible to immediately address all vulnerabilities in a financial services company's large heterogeneous IT environments. Prioritization of risk-based vulnerabilities is critical to ensure organizations can manage security risk while managing operational availability.
Specifically, Fortune 500 financial services companies who use Cisco Vulnerability Management report an 82% reduction in high-risk vulnerabilities after Cisco Vulnerability Management provided a comprehensive view into the context of the vulnerabilities. This is done by tracking Common Vulnerabilities and Exposures (CVE) across the lifecycle, from initial creation to real-world exploitation. This analysis includes the following data sources:
Through using the Cisco Vulnerability Management approach, Mattel reported a 50% reduction in time spent on remediation. A global 500 hospitality company reported a 75% reduction in time spent on vulnerability investigation. And Charter reported a 75% reduction in time spent on reporting. Scaling the security teams to prioritized response maximizes the focus on the highest threats, and is the purpose of Cisco Vulnerability management.
The collection of volume and velocity data is particularly crucial for security teams seeking to prioritize vulnerabilities. While most vulnerability management vendors track binary yes/no indicators of exploitation, Cisco goes beyond that. Our data provides insights into the number of machines exploited by a specific CVE within the past 24 hours, allowing us to assess if a vulnerability is currently more risky compared to previous days.
All of this data is fed into Cisco Vulnerability Management's machine learning model-based risk scoring, which incorporates our patented exploit prediction capabilities. The result is the Cisco Security Risk Score (formerly the Kenna Risk Score), which informs our customers about the level of risk associated with a vulnerability based on real-world attacker activity.
Another key value of Cisco's Vulnerability management approach is the integration with existing tool sets that Financial Services use. Through expanding the capabilities of existing assets already in use, we create additive value to security teams in creating a complimentary solution that provides enumeration of risks from these other tools.
Cisco Vulnerability management helps financials focus their risk priorities to make the largest impact. It also helps financials in meeting regulatory requirements, such as those present in the PCI guidance and FFIEC regulatory requirements. Some of the areas Cisco VM can help financials meet regulatory requirements include:
Cisco Vulnerability Management is key to helping financials ensure they are getting the greatest impact out of their security activities through addressing prioritized threats, and ensuring compliance to regulatory requirements.