《SANS：2022年漏洞管理調查報告（英文版）（21頁）.pdf》由會員分享，可在線閱讀，更多相關《SANS：2022年漏洞管理調查報告（英文版）（21頁）.pdf（21頁珍藏版）》請在三個皮匠報告上搜索。

1、SurveySANS Vulnerability Management Survey 2022Written by David HazarOctober 20222022 SANS Institute2SANS Vulnerability Management Survey 2022Executive SummaryThe way companies build and deploy applications and services is evolving and the use of cloud,containers,and remote workers has continued to

2、expand at a rapid pace.We are also increasingly relying on third-party software and libraries.Although these changes have resulted in increased options for identifying,tracking,and remediating vulnerabilities,security organizations must be actively involved in these changes in order to effectively e

3、valuate and implement a vulnerability management(VM)program tailored to their organizations operations.VM continues to be a struggle for many organizations.Although we are seeing improvements in maturity year over year,we see many companies struggling with backlogs of vulnerabilities they cannot fix

4、and a growing number of vulnerabilities they are not even responsible for fixing.These vulnerabilities may require their vendors or the open-source community to provide or implement the fix.VM programs spend a good deal of time identifying and communicating vulnerability details,yet sometimes the en

5、d goal of these activitiesto help the technology organizations prioritize and treat or remediate the identified vulnerabilitiesis overlooked.Do we have a vulnerability management problem or a technology management problem?We should all be asking ourselves this question as we evaluate what we need to

6、 do to succeed in managing vulnerabilities and reducing risk for our respective organizations.Only by digging into the details to identify existing problems and starting to analyze how to solve them can we identify solutions.Even though many organizations have well-defined VM programs,certain aspect

7、s of those programs continue to cause problems for survey respondents.Specifically,those aspects prevent them from maturing past Level 3 or Defined in many areas or functions of the program or for specific asset types.1 Some of the difficulties we might encounter are:Things change too quickly.We lac

8、k complete visibility(shadow IT).We dont budget for fixing vulnerabilitiesand we dont have extra time or resources.Continued support for legacy assets and applications is required by the business.The work is not always recognized and rewarded.Security is accountablebut is not responsiblefor much of

9、the work.New vulnerabilities are continuously being discoveredso the work is never“done.”We cannot fix what we dont manage.1 Refer to the SANS VM Maturity Model for definitions of Level 3 and Defined.For more information,visit www.sans.org/posters/key-metrics-cloud-enterprise-vmmm3SANS Vulnerability

10、 Management Survey 2022How do we succeed?Most organizations already know how to patch and reconfigure assets and fix bugs in code,so some other obstacles must be at play.When reviewing a companys backlog,it is not uncommon for us to find that well over 50%of outstanding vulnerabilities cannot be rem

11、ediated due to issues that are not receiving the proper attention or resources:“We cant patch these servers cause the applications running on them require the older vulnerable software and libraries to run,”or“We cant patch or get rid of that browser because our internal apps require the older versi

12、on.”VM programs must get better at identifying these issues,so they can develop business cases for larger changes in our operating procedures or technology requirements.Only then will we be able to remove those obstacles.Some of the key findings and takeaways from this years survey include:More than

13、 50%of respondents work for organizations that have adopted a cloud-first strategy.The percentage of companies with a formal VM program increased slightly from 75%in 2021 to 77%in 2022 with the remaining participants either having an informal program or planning on creating a formal program in the n

14、ext 12 months.Around 4%more organizations are using a third party to manage their formal program.There was no significant change in the VM functions and asset types included in the programs for more traditional VM asset types or functions,but cloud infrastructure as a service and platform as a servi

15、ce,custom software or application development,and containers had far greater coverage over levels reported by respondents in 2019,2020,and 2021.Security still plays the largest role in leading many VM functions,with the exception of remediation work such as patch and configuration management.Somewha

16、t surprisingly,securitys responsibility has increased in those areas by more than 10%since last years survey.Automated discovery or scanning for vulnerabilities is included in almost 7%more organizations than last year.Maturity of change,patch,and configuration management capabilities are trending i

17、n the right direction.Cloud vulnerability management maturity is increasing.Less than half(43%)of our respondents are managing supply chain vulnerabilities proactively.4SANS Vulnerability Management Survey 2022Figure 1 provides a snapshot of the 2022 survey respondents demographics.Setting the Stage

18、The percentage of organizations with a formal program managed internally dropped a couple of percentage points to 61%which might be concerning if not for the fact that the use of third parties increased to 15%from 11%over the same period.Overall,there was a 2%increase in the number of respondents wi

19、th formal programs.Those that do not have a formal program are still informally managing their vulnerabilities(17%)in some fashion or have plans to formalize a program in the next 12 months(6%).See Figure 2.These results indicate that almost 94%of organizations at least have some processes in place

20、to identify or manage their vulnerabilities with the remaining working on it.Banking and fi nanceTop 4 Industries RepresentedEach gear represents 5 respondents.Organizational SizeSmall(Up to 1,000)Small/Medium(1,0015,000)Medium(5,00115,000)Medium/Large(15,00150,000)Large(More than 50,000)Each buildi

21、ng represents 10 respondents.Top 4 Roles RepresentedSecurity administrator/Security analystSecurity manager or directorSecurity architectBusiness managerVulnerability management manager or director Each person represents 5 respondents.Operations and HeadquartersGovernment TIEDTechnology Ops:222HQ:21

22、0Ops:57HQ:1Ops:42HQ:0Ops:58HQ:0Ops:54HQ:0Ops:93HQ:10Ops:70HQ:1Ops:89HQ:8ManufacturingFigure 1.Key Demographic InformationFigure 2.Formal vs.Informal ProgramsDoes your organization have a vulnerability management program?Yes,we have a formal program managed by a third party.Yes,we have a formal progr

23、am managed internally.Yes,we have an informal program.No,we do not have a program,but we plan to in the next 12 months.15.2%6.1%17.4%61.3%5SANS Vulnerability Management Survey 2022This year,similar to previous years,we asked respondents to identify the specific types of assets and functions they inc

24、luded or planned to include in their vulnerability management program.While many of these measurements were similar to previous years,cloud infrastructure and platform as a service,custom software or application development(internal),and containers saw larger increases.See Figure 3.These increases a

25、re not surprising given how much more prevalent cloud and container usage has become over the last several years.Also,the technologies that help security teams identify vulnerabilities in cloud and containers have become much more prevalent and mature.Which are included as part of your existing or p

26、lanned vulnerability management program?Select all that apply.Asset inventory tools21.9%65.2%75.7%84.3%63.3%72.9%5.2%27.6%13.3%30.0%21.0%14.8%58.1%57.6%31.0%30.0%56.7%34.8%37.1%62.4%29.0%43.8%40.5%Cloud Platform as a Service(PaaS)Third-party/open source developed applications(not packaged software)I

27、oT/Embedded/Industrial Control System(ICS)infrastructureTicketing systemsContainer infrastructureCloud Infrastructure as a Service(IaaS)On-premise traditional(physical/virtual)infrastructure(servers,endpoints,network devices,appliances,etc.)OtherCloud Software as a Service(SaaS)Custom software or ap

28、plication development(Internal)Threat intelligence0%10%40%20%60%80%50%70%30%Existing Planned52.4%Figure 3.Vulnerability Management Program Assets6SANS Vulnerability Management Survey 2022Responsibility for Vulnerability Management ProgramsInformation security continues to be the group within organiz

29、ations most often assigned responsibility for overall vulnerability management,as shown by the increase to nearly 74%vs.64%the previous year.IT organizations still take point for remediation activities such as patch(52%)and configuration management(53%)in most organizations(illustrated in Figure 4)y

30、et these percentages are down 10%from last year,with information security apparently taking over those responsibilities for these organizations.Part of this could be due to the fact that there are more vulnerability management technologies that offer remediation capabilities.Another could just be a

31、decision to gain efficiencies by having the teams that are finding the vulnerabilities also be more involved in fixing the vulnerabilities.Who is primarily responsible for each of the following areas?Select the best response from the drop-down list for each area.0%20%10%40%60%50%70%80%30%Information

32、 Security Information Technology Application Development Audit/Risk Compliance Third Party OtherOverall Vulnerability Management in your organization5.3%0.0%4.4%0.5%73.8%13.1%1.0%Traditional(physical/virtual)infrastructure vulnerability discovery2.9%0.5%3.4%1.0%57.3%30.1%1.5%Container infrastructure

33、 vulnerability discovery2.9%2.4%10.2%1.9%40.8%28.2%1.0%Custom-developed application vulnerability discovery1.9%1.9%23.8%2.9%41.7%17.0%1.0%Cloud vulnerability discovery4.4%1.0%4.9%2.4%57.8%18.9%1.0%Third-party/open source application vulnerability discovery5.3%0.0%13.1%8.7%49.5%14.6%2.9%IoT/Embedded/

34、ICS vulnerability discovery3.9%3.4%7.8%2.9%36.9%20.9%2.4%Patch management2.9%1.0%6.3%5.8%28.6%51.9%1.0%Configuration management4.4%0.5%9.2%2.4%23.8%53.4%3.9%Vulnerability analysis9.2%1.0%2.9%4.4%65.0%13.1%1.9%Vulnerability reporting6.8%0.5%3.9%4.9%65.5%12.6%1.9%Figure 4.Primary Responsibility7SANS V

35、ulnerability Management Survey 2022Year-Over-Year ComparisonEighty-seven percent of respondent organizations perform automated vulnerability discovery,an increase this year of 7%,building on last years 10%increase.Note that this survey question just measures whether any automated scanning is occurri

36、ng and does not provide insight into whether all assets in a given category are subject to automated scanning.Traditional,on-premises infrastructure continues to be the most common area of automated vulnerability discovery at 82%,which is almost 9%higher than last year.Automation increased in all ot

37、her asset types,with cloud infrastructure as a service and custom software or application development(internal)seeing the largest gains.See Figure 5.The increase in scanning for applications may be due to a rising general interest in application security,but the recent supply-chain vulnerabilities i

38、n third-party software libraries may play a role as well.The increase in cloud is not surprising given the increase in cloud adoption,cloud expertise,cloud maturity,and cloud-first strategies for many organizations during the past few years.Fewer organizations are using manual patch and configuratio

39、n management techniques(down more than 5%over last year)and 5%more respondents indicate they have moved to a continuous patch and configuration model vs.a defined cadence(weekly or monthly,for example).See Figures 6 and 7.Manufacturing,government,and technology organizations are the most likely to u

40、se the ASAP/continuous model for applying patches and configuration changes to their assets.Which of the following are automated?Select all that apply.On-premise traditional(physical/virtual)infrastructure(servers,endpoints,network devices,appliances,etc.)82.0%34.9%73.5%21.7%50.9%29.3%26.5%2.4%37.1%

41、0.6%24.1%34.7%32.3%16.9%31.7%25.3%31.7%Cloud Platform as a ServiceOtherCustom software or application development(Internal)Container infrastructureCloud Infrastructure as a ServiceThird-party/open source developed applications(not packaged software)IoT/Embedded/Industrial Control System(ICS)infrastr

42、uctureCloud Software as a Service0%10%40%20%60%80%50%70%30%2021 202225.3%Figure 5.Automated Discovery by Asset TypeDoes your organization manage the patch and configuration of assets?No,we configure systems manually only when needed.1.0%32.4%6.5%31.8%11.1%15.2%0.9%1.0%9.3%19.2%9.3%11.1%Yes,we have a

43、utomated scripts in place to update and validate patches and configurations.Yes,we update patches and configurations manually as required by policy.Yes,we rely on built-in patch and configuration management (e.g.,Yum,Windows Updates,Group Policy)capabilities or third-party configuration management s

44、oftware.Yes,we have automated configuration as code technologies in place to update and validate configurations(e.g.,Puppet,Chef,Ansible).Yes,we leverage immutable infrastructure,require use of approved images,and limit the time an image can be used before being replaced.Yes,we rely on third-party p

45、atch and configuration management software.0%5%20%10%30%25%35%15%2021 202220.7%30.6%Figure 6.Patching and Configuration Management8SANS Vulnerability Management Survey 2022Cloud and the Supply ChainNearly 55%of respondents organizations have adopted a cloud-first strategy.(We did not ask this questi

46、on in 2021.)It will be interesting to see how this percentage grows in coming years.Manufacturing,technology,cybersecurity,and banking and finance respondents were the most likely to indicate that their organizations had adopted a cloud-first policy or strategy.Manufacturing is probably the most sur

47、prising in that group.We also added a couple of questions this year on supply chain vulnerabilities.Fewer than 50%of organizations(43%)are managing these proactively,and many organizations are relying primarily on existing asset inventories and traditional vulnerability management tools to identify

48、and track these vulnerabilities.See Figures 8 and 9.More so than the other industries,manufacturing,government,and technology organizations have moved to a more proactive approach to managing supply chain vulnerabilities.While asset inventories and traditional VM scanning technologies are still the

49、most widely used technology for identifying supply chain vulnerabilities,it will be interesting to see how the use of software composition analysis changes over time along with image scanning and other less traditional forms of identification.Figure 8.Managing Supply Chain VulnerabilitiesHow does yo

50、ur organization manage supply chain vulnerabilities?Supply chain vulnerabilities are proactively identified and managed using supply chainspecific processes and technologies.13.1%UnknownSupply chain vulnerabilities are proactively identified and managed using traditional VM processes and technologie

51、s.7.0%25.1%37.2%17.6%We dont track supply chain vulnerabilities.Supply chain vulnerabilities are tracked on an as-needed basis and response is typically handled through our emergency VM procedures.0%10%40%20%30%Figure 7.Treatment FrequencyHow often are patches and configurations applied/validated?AS

52、AP/Continuous27.4%24.8%22.0%4.6%26.4%1.5%17.4%32.5%11.0%8.1%2.5%6.4%1.0%7.3%0.5%MonthlyOnce at creation,non-immutable infrastructure(system is online for years)Aligned with SDLC release cycleWeeklyOtherQuarterlyAnnually 2021 20226.4%0%5%20%10%30%25%35%15%Figure 9.Supply Chain Vulnerability Identific

53、ation and TrackingWhich of the following processes and/or technologies are used by your organization to identify and track supply chain vulnerabilities?Select all that apply.Traditional VM scanning technologies(e.g.,Qualys,Nexpose/InsightVM,Tenable)29.6%Software composition analysisOtherHardware ass

54、et management22.6%49.7%43.7%3.0%Container/Image scanningSoftware asset management0%10%40%20%60%50%30%58.8%9SANS Vulnerability Management Survey 2022VM MaturityThis is the second year we have asked respondents to rate their maturity based on the SANS Vulnerablity Management Maturity Model.As a result

55、,we are now able to compare responses year over year in an attempt to spot any trends.This section looks at each of the phases of the vulnerability management lifecycle that are included in the maturity model and how the survey respondents graded themselves against that model.PreparePreparation is a

56、n important part of any program,and it is not a one-time activity.Many organizations have moved to more iterative styles of systems and software development,and may want to consider a similar approach to program development.Organizations cannot excel at everything right awayif they focus on more tha

57、n a few capabilities each cycle,they will likely struggle to maintain focus and may not make significant gains on any one capability.Policies and StandardsThe maturity of respondents policies and standards is almost a perfect bell curve,with most organizations at a defined level of maturity.Maturity

58、 has shifted up a little more toward Level 3(Defined)and Level 4(Quantitatively Managed),but a smaller percentage of respondents indicated a Level 5 maturity in this category than last year.See Figure 10.This area is clearly trending in the right direction.We do hope to see more companies using auto

59、mated controls to enforce their policies and standards in the future as emerging technologies make this easier.Cloud adoption and DevSecOps operating models definitely help provide options for defining and enforcing certain policies and standards in code.While there will always be some policies and

60、standards that cannot be enforced with code,defining as many as possible can help compliance tremendously.Figure 10.Maturity of Policies and StandardsHow would you rank the maturity of your VM policies and standards?2021 202240%30%20%10%0%6.8%9.3%Level 543.2%37.4%Level 323.2%20.6%Level 420.5%21.5%Le

61、vel 26.3%11.2%Level 1Level 1 11.2%6.3%-4.9%Level 2 21.5%20.5%-1.0%Level 3 37.4%43.2%5.8%Level 4 20.6%23.2%2.6%Level 5 9.3%6.8%-2.5%2021%Change2022%Change(FY2021FY2022)10SANS Vulnerability Management Survey 2022ContextWith regard to asset inventories and the availability and quality of contextual inf

62、ormation,the maturity is a bit lower(especially for non-traditional asset types)but is definitely trending in the right direction.We expect to see even more maturity in this area in the future as more companies implement passive asset-discovery technologies.These technologies leverage APIs to interr

63、ogate existing data sources along with network traffic to correlate information and get a better understanding about which assets exist in the organization and where there might be gaps.Many of our current technologies have accessible APIs,which makes this type of discovery and analysis possible and

64、 decreases our reliance on active and agent-based discovery.See Figure 11.Even without purchasing technologies,organizations can leverage APIs available in their cloud environments,virtualization hypervisors,and other types of programmable infrastructure.They can also leverage tagging and other capa

65、bilities that allow for the storage and retrieval of contextual information.If third-party technologies are not available,organizations can still build and maintain their own big data stores to collect and analyze the information.The main capabilities the newer passive asset management technologies

66、provide are hundreds of pre-built integrations for different data sources and pre-built queries and correlation rules.Depending on how many data sources are needed to get an accurate representation of the environment,it may be possible to build and maintain something in-house.Figure 11.Maturity of A

67、sset Inventory and Contextual Information2How would you rank the maturity of your asset inventory and the contextual information you need as input to various VM processes?Select a scale for each categorytraditional infrastructure,applications,containers,and cloud.Traditional infrastructure Applicati

68、ons Containers Cloud40%30%20%10%0%11.5%6.3%20.9%16.8%Level 122.5%22.0%22.5%29.8%Level 236.1%33.5%22.5%18.3%Level 322.0%31.4%20.9%22.5%Level 46.3%6.8%9.4%9.9%Level 5Level 1 17.8%13.9%-3.9%Level 2 30.8%24.2%-6.6%Level 3 26.2%27.6%1.4%Level 4 17.8%24.2%6.5%Level 5 7.5%8.1%0.6%2021%Change2022%Change(FY2

69、021FY2022)2 Note:We used the average for 2022,as we didnt break out categories in 2021.11SANS Vulnerability Management Survey 2022IdentifyMany organizations mistakenly believe that if there are automated tools in place to identify vulnerabilities,then a vulnerability management program exists.Althou

70、gh identification is a key part of vulnerability management,it alone does not solve any problems.Identification can happen in many different ways,but the maturity model measures three of the most important methods:automated,manual,and external.Automated Identification The maturity of automated ident

71、ification processes has improved for all asset types,but the more notable improvements have been for cloud(+14%Level 3+),applications(+13%),and containers(+12%).As organizations leverage automation and move to a more DevSecOps model for systems and software development,they have more visibility into

72、 the assets or images that need scanning.It is also possible that the shift to cloud and remote workforce has led to increased agent-based scanning,which tends to improve coverage,especially for more dynamic asset types.See Figure 12.The available options for scanning containers and containerized ap

73、plications have grown over the past couple of years with a large increase in the number of registry scanning technologies(many of which are open source or free)and the number of Kubernetes integrations that provide container image scanning.The increased consolidation of version control technologies

74、and use of automated pipelines by organizations has also made it easier for organizations to identify and track their applications.Also,software composition analysis tools are more readily available than they have been in the past.Cloud Security Posture Management(CSPM)and Cloud Workload Protection

75、Platform(CWPP)options have become much more ubiquitous,and most organizations have multiple options for gaining visibility into the security of their cloud environments.Figure 12.Maturity of Automated Vulnerability Capabilities by CategoryHow would you rank the maturity of your automated vulnerabili

76、ty identification capabilities across traditional infrastructure,applications,containers,and cloud?Select a scale for each category.Traditional infrastructure Applications Containers Cloud40%30%20%10%0%10.2%5.9%19.9%16.1%21.5%17.2%19.4%19.9%32.3%38.2%28.5%31.7%22.0%28.0%21.0%21.5%11.8%10.8%8.6%8.6%L

77、evel 1-0.9%-4.3%-11.2%-14.0%Level 2-9.0%-7.6%1.9%4.4%Level 3 7.1%7.0%8.1%9.4%Level 4 6.6%0.7%2.5%6.0%Level 5-3.8%5.0%1.8%-1.1%Traditional infrastructureContainersCloudApplications%Change(FY2021FY2022)Level 1Level 2Level 3Level 4Level 512SANS Vulnerability Management Survey 2022Manual IdentificationM

78、anual identification maturity has also improved over last year for most asset types,with applications seeing the largest increase in Level 3 or Defined and Above Maturity at 10%followed by containers(7%)and cloud at only 4%.Traditional infrastructure actually decreased slightly by 1%which could be d

79、ue to demographics or a shift away from traditional operating models.See Figure 13.Automated tools for identifying vulnerabilities continue to improve,but certain types of flaws are not easily found by these technologies.Manual assessment will always have a place in identifying those business and ap

80、plication-specific vulnerabilities.Organizations need to continue to mature these capabilities even as more automated scanning is introduced into environments.External IdentificationExternal identification may happen as part of a formal bug bounty program,but even without such a program,organization

81、s need to have a defined way of handling external vulnerability reports.Many more respondents have set up and defined their processes for handling these types of vulnerabilities and engaging with external researchers.See Figure 14.Figure 13.Maturity of Manual Vulnerability Capabilities by CategoryHo

82、w would you rank the maturity of your manual vulnerability identification capabilities across traditional infrastructure,applications,containers,and cloud?Select a scale for each category.Traditional infrastructure Applications Containers Cloud40%30%20%10%0%15.0%11.8%23.5%18.7%Level 120.3%21.9%20.9%

83、26.7%Level 229.4%33.2%25.1%21.9%Level 325.7%20.3%17.6%19.8%Level 48.6%12.3%10.2%10.2%Level 5Level 1-3.8%-6.4%-11.4%-13.3%Level 2-1.4%-10.7%3.4%9.3%Level 3 4.0%10.0%3.8%3.5%Level 4-0.1%12.1%3.1%4.3%Level 5 0.6%-2.1%2.4%-1.5%Traditional infrastructureContainersCloudApplications%Change(FY2021FY2022)Fig

84、ure 14.Maturity of External Vulnerability Capabilities by CategoryHow would you rank the maturity of your external vulnerability identification capabilities across traditional infrastructure,applications,containers,and cloud?Select a scale for each category.Traditional infrastructure Applications Co

85、ntainers Cloud40%30%20%10%0%15.0%12.3%20.3%18.7%Level 122.5%19.3%21.4%21.4%Level 230.5%35.3%22.5%21.9%Level 320.9%23.5%25.1%25.1%Level 410.7%9.6%9.6%10.7%Level 5Level 1-10.2%-9.5%-13.0%-15.6%Level 2-3.3%0.9%2.8%7.7%Level 3 8.8%6.0%1.9%-0.6%Level 4 5.9%7.1%12.4%9.4%Level 5-0.2%-2.0%0.8%3.8%Traditiona

86、l infrastructureContainersCloudApplications%Change(FY2021FY2022)13SANS Vulnerability Management Survey 2022The reason for the increase could possibly be attributed to the binding directive from the US Cybersecurity and Infrastructure Security Agency(CISA),which was released in September 2020 and req

87、uires all US government agencies to have a published Vulnerability Disclosure Policy.3 However,among respondents in government with US-based headquarters,the only asset type with a major increase was“Traditional Infrastructure,”so there may be other reasons for this year-over-year increase.Although

88、the most important aspect of this type of identification is to have and follow a defined vulnerability disclosure policy,many companies have found value in tapping into crowdsourced identification capabilities.The researchers involved in this kind of work tend to be much more specialized and can pro

89、vide more rigorous testing within their area of focus.AnalyzeIf organizations want to understand what is working and what is not in their respective programs,they must spend a good amount of time analyzing the data.Much of the focus in the industry is on prioritizationpossibly because it is easier t

90、o market a product that can successfully help in this areabut it is also important to dig into the details and analyze why certain metrics fall short of expectations.(Why arent teams patching patchable vulnerabilities?Why do certain technologies seem to consistently cause the most problems?)Prioriti

91、zationPrioritization maturity has improved this year with more companies moving from Level 3(defined)to Level 4(quantitatively managed)and Level 5(optimizing).See Figure 15.The marked increase in technologies available to consolidate and prioritize security vulnerabilities has likely made it easier

92、for companies to prioritize more consistently and incorporate publicly available threat intelligence.This writer has definitely seen more adoption of these technologies over the past couple of years.3 “Binding Operational Directive 20-01Develop and Publish a Vulnerability Disclosure Policy,”Cybersec

93、urity and Infrastructure Security Agency(CISA),www.cisa.gov/binding-operational-directive-20-01Figure 15.Maturity of Prioritization or Risk Ranking ProcessesHow would you rank the maturity of your prioritization or risk ranking processes and procedures?40%30%20%10%0%7.0%Level 121.5%Level 230.6%Level

94、 326.9%Level 414.0%Level 5Level 1 9.8%7.0%-2.8%Level 2 22.5%21.5%-1.0%Level 3 35.3%30.6%-4.6%Level 4 20.6%26.9%6.3%Level 5 11.8%14.0%2.2%2021%Change2022%Change(FY2021FY2022)14SANS Vulnerability Management Survey 2022As asset inventories,tags,or other mechanisms for storing context improve,organizati

95、ons will be able to not only prioritize generally,but also prioritize within the reports and lists targeting specific stakeholder groups,program components,or program technologies.As internal threat intelligence capabilities increase,they may even be able to provide more company-specific customizati

96、ons to the risk scores they use for prioritization.While this tactic can help focus on reducing the riskiest vulnerabilities,we have found it is not nearly as important as root-cause analysis.Root-Cause AnalysisThe maturity of organizations root-cause analysis processes and procedures has flipped fr

97、om leaning left or less mature to leaning right on the maturity model matrix.Even more organizations are exceeding the defined level for this capability than for prioritization,which was not the case last year.See Figure 16.We believe this is a positive sign because as we discussed in last years sur

98、vey results,many organizations struggle to adequately acknowledge and communicate problems within the program that may require support from outside the program and participating technology organizations.4 This years survey showed that more organizations have started to generate owner and role level

99、metrics and data to provide more focused visibility than in 2021.This visibility streamlines root-cause analysis.CommunicateEffective and efficient communication can help ensure the success of a vulnerability management program.Not only does it help establish buy-in,but it also helps influence behav

100、ior.In order to be effective,an organization needs to know what information is best suited for each stakeholder group.It can determine this by analyzing what changes need to happen within the different stakeholder groups and then determining which metrics are most likely to drive those changes or be

101、haviors.It cant be all about the dataturn the data into a compelling story for more widespread understanding and adoption.4 “A SANS 2021 Survey:Vulnerability ManagementImpacts on Cloud and the Remote Workforce,”SANS,www.sans.org/white-papers/sans-2021-survey-vulnerability-management-impacts-cloud-re

102、mote-workforce/(registration required to download paper).Figure 16.Maturity of Root Cause AnalysisHow would you rank the maturity of your root cause analysis processes and procedures?40%30%20%10%0%14.1%Level 121.1%Level 227.6%Level 329.2%Level 48.1%Level 5Level 1 17.8%14.1%-3.7%Level 2 28.7%21.1%-7.

103、6%Level 3 22.8%27.6%4.8%Level 4 23.8%29.2%5.4%Level 5 6.9%8.1%1.2%2021%Change2022%Change(FY2021FY2022)15SANS Vulnerability Management Survey 2022Metrics and ReportingLast year,the majority of organizations rated themselves at Level 2(Managed),but this year most organizations have moved to at least a

104、 Defined or Level 3 maturity.See Figure 17.If organizations can get more accurate context to enable them to produce more targeted reports and establish treatment timelines and bug bars that correspond to their policies and standards,they can even more effectively measure compliance.This would help w

105、ith root-cause analysis,getting buy-in from stakeholders,and possibly increasing top-down support from management.AlertingAlerting can be highly effective if used judiciously.Organizations should carefully analyze where risk is too high to wait for reports and dashboards.They should also determine w

106、here alerts may be beneficial.It may be helpful to create alerts that nudge stakeholders to view their reports or action any tickets or backlog items.Be sure to work closely with those stakeholders to define requirements so they can help make them as effective as possible.Last year,more organization

107、s were confident in the maturity of their alerting capabilities than their metrics and reporting.The difference in maturity between these two capabilities is not as drastic this year,but this year there are more organizations at Level 4 (Quantitatively Managed)for alerting than last year.The year-ov

108、er-year increase in alerting maturity is not quite as pronounced as the increase in reporting and metrics,but it was good to see a large drop in those at Level 1(-10%).See Figure 18.Alerts are ideal for emergency vulnerabilities such as zero-day vulnerabilities or vulnerabilities actively being expl

109、oited.They may also help increase focus for monthly or quarterly goals set by the organization.Creating alerts for any vulnerabilities approaching defined due dates can also be helpful as long as those timeframes are achievable for each stakeholder group.Figure 17.Maturity of Metrics and ReportingHo

110、w would you rank the maturity of your VM metrics and reporting?40%30%20%10%0%9.2%Level 125.4%Level 234.1%Level 320.5%Level 410.8%Level 5Level 1 11.7%9.2%-2.5%Level 2 33.0%25.4%-7.6%Level 3 24.3%34.1%9.8%Level 4 19.4%20.5%1.1%Level 5 11.7%10.8%-0.9%2021%Change2022%Change(FY2021FY2022)Figure 18.Maturi

111、ty of Alerting Processes and ProceduresHow would you rank the maturity of your VM alerting processes and procedures?40%30%20%10%0%9.2%Level 124.3%Level 228.6%Level 325.4%Level 412.4%Level 5Level 1 19.0%9.2%-9.8%Level 2 25.0%25.4%0.4%Level 3 25.0%34.1%9.1%Level 4 19.0%20.5%1.5%Level 5 12.0%10.8%1.2%2

112、021%Change2022%Change(FY2021FY2022)16SANS Vulnerability Management Survey 2022TreatmentIf an organization is doing everything else well,it would be natural to assume that treatment or remediation would follow.But alas,this is not always the case.Here is where root-cause analysis can help determine w

113、hat may be preventing technology teams from moving forward.They may find that the solution to their problem lies not in how they identify and communicate vulnerabilities,but in how they build,deploy,and maintain their systems,software,and applications.While security teams are not typically directly

114、responsible for these functions,effective preparation,identification,analysis,and communication will hopefully lead to crucial conversations about systems architecture and design.Maybe such involvement will allow them to participate in the next digital transformation project to more tightly integrat

115、e and automate change,patch,and configuration management processes.At SANS,we have noticed that the organizations most effectively reducing their vulnerability backlogs have opted in to a continuous update approach to patch and configuration management.In this approach,teams continuously test agains

116、t and apply the latest patches and versions of operating systems,software,libraries,and any required configuration changes.Build and deployment teams are required to have excellent test coverage,which is more easily accomplished through automation.While this might not describe your organization toda

117、y,consider how to get the support to make these changes in your environment.Change ManagementAs we look at organizations maturity as it relates to change management,it has increased across the board,with the cloud asset type being the least mature and also increasing the least since last year(7%).Se

118、e Figure 19 for this years results.The dynamic nature of the cloud and the fact that cloud deployment teams may operate separately and distinctly from other infrastructure and application teams may contribute to the lower maturity.Traditional infrastructure and applications rate the highest,which ma

119、kes sense because these areas were why organizations implemented change management in the first place.Figure 19.Maturity of Change Management by CategoryHow would you rank the maturity of your change management processes and procedures as they relate to VM across traditional infrastructure,applicati

120、ons,containers,and cloud?Select a scale for each category.Traditional infrastructure Applications Containers Cloud40%30%20%10%0%14.1%12.0%20.1%17.5%Level 121.2%17.4%19.6%21.7%Level 230.4%31.5%27.7%26.6%Level 324.5%27.2%22.3%22.3%Level 48.2%12.0%7.6%9.2%Level 5Level 1-3.7%-4.5%-8.3%-10.1%Level 2-6.1%

121、-1.4%-1.0%9.0%Level 3 5.1%0.0%5.2%0.2%Level 4 5.6%10.7%12.5%9.5%Level 5 0.2%-2.6%-1.2%-2.5%Traditional infrastructureContainersCloudApplications%Change(FY2021FY2022)17SANS Vulnerability Management Survey 2022Patch ManagementOrganizations are over 11%more mature in their patch management capability t

122、han configuration management for traditional infrastructure,but the difference is much less pronounced for other asset types.This difference could be because other asset types,especially containers,are not really patched as much as updated with a new image.Comparing results from this year with those

123、 from last year,the biggest increase in maturity occurred at Level 3(defined).See Figure 20 for this years survey results in this category.Keep in mind that this survey question measures the maturity of the organizations treatment processes,which doesnt always equate to 100%successful remediation of

124、 vulnerabilities.Organizations with mature processes can and do still encounter obstacles that cause patches and their associated vulnerabilities to be excluded from the regular process.Configuration ManagementFor configuration management,organizations are generally less mature,but the increase betw

125、een last year and this year is still very good with the maturity of containers increasing the most(14%)and cloud the least(1%).Last year we were surprised by the low maturity within the container space,so we are happy to see these improvements.See Figure 21(on the next page)for this years survey res

126、ults in configuration management.We expect cloud capabilities to increase as more organizations leverage automation to build out and manage their cloud environments and as cloud-native options continue to mature.Figure 20.Maturity of Overall Patch Management5How would you rank the maturity of your p

127、atch management processes and procedures as they relate to VM across traditional infrastructure,applications,containers,and cloud?Select a scale for each category.Traditional infrastructure Applications Containers Cloud40%30%20%10%0%10.3%5.9%21.6%16.8%Level 121.6%14.1%17.3%20.0%Level 234.1%38.9%23.8

128、%28.1%Level 324.3%30.8%22.2%22.2%Level 49.2%10.3%11.4%10.8%Level 5Level 1 4.2%13.6%9.4%Level 2 29.2%18.2%-11.0%Level 3 25.0%31.2%6.2%Level 4 33.3%24.9%-8.4%Level 5 8.3%10.4%2.1%2021%Change2022%Change(FY2021FY2022)5 Note:We used the average for 2022,as we didnt break out categories in 2021.18SANS Vul

129、nerability Management Survey 2022Based on what the survey indicates about how organizations handle patch and configuration management,healthcare,education,and retail are the industries that rely the most on manual processes.This does not mean that no one in these industries is automating patch and c

130、onfiguration management,but there are more respondents indicating manual patching in these industries than in other industries.When we consider how those industries are operated and the design of their networks,this statistic makes more sense.The equipment used is usually more tightly controlled and

131、 may leverage technology to return the devices to the expected state when users log out(Kiosk Mode)or may require more firmware updates vs.traditional software-based patch and configuration changes.Combine this with a generally more distributed operating model,and it may explain why manual update pr

132、ocesses are more common in these industries.Manufacturing,technology,banking and finance,and government are the industries with the most automation,according to the survey results.Manufacturing was a surprising standout this year in terms of maturity in several categories.This industry has faced a r

133、apidly evolving threat landscape over the past few years,which most likely inspired these gains.Figure 21.Maturity of Configuration Management by CategoryHow would you rank the maturity of your configuration management processes and procedures as they relate to VM across traditional infrastructure,a

134、pplications,containers,and cloud?Select a scale for each category.Traditional infrastructure Applications Containers Cloud40%30%20%10%0%11.9%9.2%21.6%16.8%Level 124.9%22.2%20.5%28.6%Level 229.2%36.2%25.9%25.9%Level 324.9%24.3%23.2%18.4%Level 47.6%8.1%6.5%8.1%Level 5Level 1-5.8%-8.5%-11.0%-11.4%Level

135、 2-6.8%0.4%-5.8%-0.5%Level 3 7.2%3.7%9.1%6.2%Level 4 9.3%3.4%8.5%3.8%Level 5-3.9%-0.6%-3.0%-0.2%Traditional infrastructureContainersCloudApplications%Change(FY2021FY2022)19SANS Vulnerability Management Survey 2022Cloud Vulnerability ManagementCloud capabilities are definitely increasing.Last year,mo

136、re than 50%of the organizations rated themselves at Level 1 or 2.This year,the number of respondents rating themselves a 1 dropped 15%from 28%down to 13%.Those ranking themselves at Level 3(Defined)or higher increased 17%(to 65%this year from 48%last year).Cloud vulnerability management solutions ha

137、ve rapidly expanded in recent years.Many providers offer native solutions and many of the cloud security vendors have greatly improved their capabilities,which makes it easier for organizations to get better insight into the vulnerabilities in their cloud environments.See Figure 22 for this years cl

138、oud vulnerability management rankings.SANS sees a huge opportunity to mature even further in this area.Cloud operating environments are fully programmable so moving to Levels 4 and 5 should be even easier than in more traditional operating environments.For example,cloud-native alerting capabilities

139、such as Amazon EventBridge and Azure Event Grid make it easy to create alerts that provide visibility into highly critical and time-sensitive issues.Also,big data capabilities make it faster and easier to generate valuable metrics and reports if those capabilities dont exist in the organizations tra

140、ditional environments.Lastly,because IaaS assets and containerized applications are all created from images,organizations can move away from traditional scanning,patching,and configuration activities and focus on ensuring that teams are using current,approved images;continuously testing against thes

141、e updated images;and automatically updating to approved images on a defined interval.Figure 22.Maturity of Cloud VM OverallHow would you rank the overall maturity of your VM program in addressing vulnerabilities in the cloud?40%30%20%10%0%13.1%Level 121.9%Level 236.1%Level 321.3%Level 47.7%Level 5Le

142、vel 1 28.0%13.1%-14.9%Level 2 23.0%21.9%-1.1%Level 3 23.0%36.1%13.1%Level 4 16.0%21.3%5.3%Level 5 9.0%7.7%-1.3%2021%Change2022%Change(FY2021FY2022)20SANS Vulnerability Management Survey 2022Summary and Final RecommendationsBased on the trends we see in this years survey,things are looking up in the

143、vulnerability management world.Theres still work to be done,of course,but organizations have never had as much help as they do now.One way they can take advantage of this help is by strategically choosing to offload the responsibility for updating and configuring certain systems and applications to

144、cloud providers by leveraging more platform and software as a service or serverless functions.On the application side,many organizations are already leveraging third-party libraries and frameworks to provide much of the needed functionality.This trend helps save time and effort by eliminating the ne

145、ed to scan,triage,and fix as much code.Security teams just need to make sure they proactively manage those supply chain vulnerabilities and are able to respond quickly when dangerous vulnerabilities are identified in the libraries they leverage.By shifting the responsibility for certain systems and

146、software to others,organizations can focus more on the traditional asset types,where organizations need more visibility and control.In addition to these third-party capabilities,the security industry has never had so many supporting technologies and services to help us succeed.No technology or servi

147、ce is perfect,but with the right support,many can provide substantial value to the organization.To really make a difference,however,an organization needs the right combination of people,process,and technology.The technologies might facilitate the gathering of data and can do some basic interpretatio

148、n,but it is up to those of us on the front lines to really dig into the details to understand where the larger,more challenging problems exist.Then,we must work to find solutions.If the fix is manual and repetitive,we should look at improving our processes or automating the solution.If there is a ga

149、p in our technologies,we should work to close it either through customization or by working with the vendor to make improvements.Through surveys like this one,SANS notes that organizations are incrementally improving year over year.Vulnerabilities will never cease to exist,but maybe in five to ten y

150、ears,handling them will be business as usual.In order for that to happen,however,it will require not only maturing security capabilities,but also systems and software development and support capabilities.The advantage the industry has now is that there are organizations successfully managing vulnera

151、bilities in systems and software at scale.Most of these companies are willing to share what they have learned,and some even provide software or services to help others manage their resources in a similar manner.Vulnerability management is hard but not impossible.Keep at it so we can see even more improvements in next years survey.21SANS Vulnerability Management Survey 2022SponsorsSANS would like to thank this surveys sponsors: