Why Attackers Keep Winning at 'Patch or Perish'Fresh Flaws Exploited Faster Than They're Patched, Says Tenable's Gavin Millard
One of the biggest information security challenges facing organizations is that they must try to identify and patch all new vulnerabilities that come to light in every piece of software and hardware that they use. Unfortunately, no matter how quickly patch managers move, on average, attackers move faster, developing exploits that target new flaws before they get fixed, says Gavin Millard, technical director for Europe, the Middle East and Africa at Tenable.
Tenable analyzed the the top 50 vulnerabilities of last year to study how quickly new flaws could be exploited by attackers before they were being patched by organizations. "The average time from a vulnerability being disclosed to an exploit being available - so basically, an attacker being able to leverage that exploit - is five days," Millard says. But 34 percent of the top 50 vulnerabilities involved a zero-day attack that exploited a flaw before it was publicly known. Meanwhile, organizations took on average 12.8 days to identify known flaws, often then taking weeks to remediate them.
In a video interview at the recent Infosecurity Europe conference in London, Millard discusses:
- The ever-increasing quantity of vulnerabilities found in software;
- The timeframe in which attackers exploit flaws, compared to when they get fixed;
- The quest for better vulnerability management practices.
Millard serves as the technical director for EMEA at Tenable. An ethical hacker, Millard works with enterprises to address their cybersecurity challenges. He previously worked as the EMEA technical director for Tripwire. Millard regularly speaks on data integrity, hacking and other key security topics.