[BreachExchange] 250k Vulnerabilities and 50k Data Breaches You Need

Destry Winant destry at riskbasedsecurity.com
Mon Mar 22 10:28:14 EDT 2021


https://www.riskbasedsecurity.com/2021/03/22/250k-vulnerabilities-and-50k-data-breaches-you-need/

No one can argue against the notion that Better Data Matters. Quality data
enables organizations to make better risk decisions. Despite this, the
vulnerability and breach intelligence that is widely available is simply
not good enough.

What exactly makes commonly used data inadequate? Well for starters, it is
not comprehensive, detailed, nor timely. If your data source is missing the
vulnerabilities that matter to you, you are unable to take appropriate
steps to mitigate the risk. If it lacks sufficient detail, you’re unable to
make risk-based decisions or prioritize effectively. Meanwhile, if it takes
too long to reach you, it prolongs the vulnerability research process or
leaves you in the dark about weaknesses in your supply chain until it’s too
late.

Data should be able to illuminate and highlight any areas of concern within
your security ecosystem. As such, it has been our mission at Risk Based
Security to provide our clients with the most comprehensive, detailed and
timely vulnerability and breach intelligence available on the market. We
take great pride in how extensive our vulnerability and data breach
intelligence is.

This month, our products VulnDB and Cyber Risk Analytics (CRA) hit major
milestones, reaching over 250,000 vulnerability entries and over 50,000
tracked data breaches.

VULNDB REACHES OVER 250,000 VULNERABILITIES

Our research team aggregated over 250,000 vulnerabilities in our VulnDB
database, cementing it as the most comprehensive source of vulnerability
intelligence on the market by far. Consider that at the time of writing,
CVE/NVD only has around 150,000 entries.

What exactly do these numbers mean for your security team? It means that
your team may be missing valuable exploit details, solution details, and
important metadata for every asset your organization is using that can be
mapped to CVE/NVD. VulnDB fully maps to CVE, but also contains over 80,000
vulnerabilities that cannot be found in it as well those found in
third-party libraries and dependencies. Within each of those entries,
VulnDB also provides deeper metadata that enables users to gain more
insights into their risk profile.

Most vulnerability intelligence platforms don’t provide exploit status, and
it’s no secret that CVE/NVD entries also lack this information.
Additionally, in many cases, key references and solution data are either
missing or inconclusive making it necessary for security professionals to
find all of this themselves, resulting in hours being spent researching
vulnerabilities rather than actually managing them.

When you take these factors into account, given the high number of
vulnerabilities being disclosed and the frequency of when issues arise,
organizations using widely available data may end up reactively treating
risk instead of treating the root causes.

To help treat the root causes, VulnDB gives organizations additional
insights to perform Vulnerability Management from a more strategic
standpoint while also providing essential exploit and solution details if
they are known. Some of these include historical data, extensive metadata,
product ratings, social risk scores and more. With these insights
organizations can begin to answer hard hitting questions like:

What vendors or products are most likely to put me at risk for a compromise
or data breach?
What products or libraries/components cost the most to maintain securely?
What vendors care about their own security and are they actively addressing
the vulnerabilities within their own products?
If a vulnerability makes it through, how quickly do my vendors respond and
provide a patch?

Along with the VulnDB entries that do map to CVE, organizations also have
access to over  80,000 vulnerabilities missed by CVE/NVD. The same
consistent and comprehensive data can be found in those missing entries as
well. All VulnDB entries contain easy-to-understand ratings and enable
security teams to get a better understanding about the products they are
relying on.

CRA TRACKS OVER 50,000 DATA BREACHES

On the data breach side, we hit a major milestone of over 50,000 tracked
data breaches in Cyber Risk Analytics. The number of breaches as well as
the number of records exposed has escalated making data breaches a
Board-level concern for businesses.

“One constant we’ve observed over the years is that malicious actors
continuously seek the most lucrative targets. Whether it’s causing painful
disruptions to operations or focusing on key service providers with a
wealth of client data, attackers understand and target those opportunities
that will maximize the return on their efforts.”

Inga Goddijn, Executive Vice President, Risk Based Security

As consumers and organizations continue to adopt new technologies,
sensitive data is more available than ever before and the consequences of a
breach have risen dramatically. But even if your organization has taken
steps to mitigate the impact of a breach, can the same be said about the
third parties supporting your supply chain? Can you be sure that your third
parties are taking the same precautions as you to protect your data?

The number of third party breaches added by Q4 in the past eight years

A third party being breached can have serious implications where one
organization’s compromise can lead to the compromise of others’ data held
on that system. The most prominent example of this was the unfortunate
breach at Blackbaud, where attackers gained access to hundreds of
customers’ client data leading to a chain reaction of lawsuits.

Unfortunately, most organizations find out the hard way when they read the
next day’s news headline. And even then, not all the important details can
be found in the news. Like any kind of intelligence, it needs to be
actionable.

With CRA, organizations can transform those headlines into actionable
intelligence. For those 50,000+ data breaches contained in CRA, each breach
has up to 68 attributes of rich metadata if they are known such as breach
type, threat vectors, costs, and more. With this data, our clients are able
to perform informed vendor due diligence and improve their vendor selection
processes, prioritize security controls, and assist in mergers &
acquisitions – all while continuously monitoring them and other
organizations they care about the most.

Better Data Matters

Risk Based Security provides the world’s most comprehensive and timely
vulnerability intelligence, breach data and risk ratings. These two major
milestones in both VulnDB and Cyber Risk Analytics shows that it is
possible to have both quality and quantity in data. A lot more can be said
about both of our products, but we wanted to share and explain how these
numbers translate into better outcomes and risk decisions. If you would
like to learn more and see for yourself the impacts of better data, feel
free to contact us.

Request a Demo <https://www.riskbasedsecurity.com/contact/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210322/366a51d7/attachment.html>


More information about the BreachExchange mailing list