Vulnerabilities Take More Than 30 Days to Patch and Are Patched Less Than 58% of the Time

Organisations are increasingly digitised. But as well as boosting their productivity through technological investment, they are also expanding their attack surface against cybercriminals eager to attack their infrastructures.

The Qualys Threat Research Unit has analysed the millions of events that were tracked from the Qualys Cloud Platform in 2022 and comes to five key conclusions.

Firstly, that “speed is the key to overcoming attacks”. Qualys finds that, on average, vulnerabilities take 30.6 days to fix. In the end, they are only patched 57.7% of the time.

Another conclusion is that “automation is the difference between success and failure”. The patching rate through automation was 72.5 % in 2022 compared to 49.8 % in cases where manual intervention is involved. In addition, automated patches were deployed 45% more frequently and 36% faster than others.

Qualys reveals that vulnerabilities where it is possible to apply an automatic patch drop to an average remediation time of 25.5 days. Manually patched vulnerabilities rise to 39.8 days.

There is also a growing trend to note, which is that “early access agents attack what organisations ignore”. As enterprises are more effective at resolving issues in Windows and Chrome (taking 17.4 days), hackers are turning to vulnerabilities outside of these two environments that have a remediation time of around 45.5 days.

It seems that “misconfigurations are still prevalent in web applications”. Of the 370,000 applications analysed by Qualys and the more than 25 million vulnerabilities detected, 33% were incorrectly configured. As a result, cybercriminals spread malware in some 24,000 applications.

In this sense, “misconfigurations are a gateway for ransomware”. The three techniques most associated with failed control for cloud misconfigurations are: exploitation of remote services, destruction of data, and corruption of cloud storage objects.