250k Vulnerabilities and 50k Data Breaches You Need To Know About
March 22, 2021 • RBS
No one can argue against the notion that Better Data Matters. Quality data enables organizations to make better risk decisions. Despite this, the vulnerability and breach intelligence that is widely available is simply not good enough.
What exactly makes commonly used data inadequate? Well for starters, it is not comprehensive, detailed, nor timely. If your data source is missing the vulnerabilities that matter to you, you are unable to take appropriate steps to mitigate the risk. If it lacks sufficient detail, you’re unable to make risk-based decisions or prioritize effectively. Meanwhile, if it takes too long to reach you, it prolongs the vulnerability research process or leaves you in the dark about weaknesses in your supply chain until it’s too late.
Data should be able to illuminate and highlight any areas of concern within your security ecosystem. As such, it has been our mission at Risk Based Security to provide our clients with the most comprehensive, detailed and timely vulnerability and breach intelligence available on the market. We take great pride in how extensive our vulnerability and data breach intelligence is.
VulnDB Reaches Over 250,000 Vulnerabilities
Our research team aggregated over 250,000 vulnerabilities in our VulnDB database, cementing it as the most comprehensive source of vulnerability intelligence on the market by far. Consider that at the time of writing, CVE/NVD only has around 150,000 entries.
What exactly do these numbers mean for your security team? It means that your team may be missing valuable exploit details, solution details, and important metadata for every asset your organization is using that can be mapped to CVE/NVD. VulnDB fully maps to CVE, but also contains over 80,000 vulnerabilities that cannot be found in it as well those found in third-party libraries and dependencies. Within each of those entries, VulnDB also provides deeper metadata that enables users to gain more insights into their risk profile.
Most vulnerability intelligence platforms don’t provide exploit status, and it’s no secret that CVE/NVD entries also lack this information. Additionally, in many cases, key references and solution data are either missing or inconclusive making it necessary for security professionals to find all of this themselves, resulting in hours being spent researching vulnerabilities rather than actually managing them.
When you take these factors into account, given the high number of vulnerabilities being disclosed and the frequency of when issues arise, organizations using widely available data may end up reactively treating risk instead of treating the root causes.
To help treat the root causes, VulnDB gives organizations additional insights to perform Vulnerability Management from a more strategic standpoint while also providing essential exploit and solution details if they are known. Some of these include historical data, extensive metadata, product ratings, social risk scores and more. With these insights organizations can begin to answer hard hitting questions like:
- What vendors or products are most likely to put me at risk for a compromise or data breach?
- What products or libraries/components cost the most to maintain securely?
- What vendors care about their own security and are they actively addressing the vulnerabilities within their own products?
- If a vulnerability makes it through, how quickly do my vendors respond and provide a patch?
Along with the VulnDB entries that do map to CVE, organizations also have access to over 80,000 vulnerabilities missed by CVE/NVD. The same consistent and comprehensive data can be found in those missing entries as well. All VulnDB entries contain easy-to-understand ratings and enable security teams to get a better understanding about the products they are relying on.
CRA Tracks Over 50,000 Data Breaches
On the data breach side, we hit a major milestone of over 50,000 tracked data breaches in Cyber Risk Analytics. The number of breaches as well as the number of records exposed has escalated making data breaches a Board-level concern for businesses.
“One constant we’ve observed over the years is that malicious actors continuously seek the most lucrative targets. Whether it’s causing painful disruptions to operations or focusing on key service providers with a wealth of client data, attackers understand and target those opportunities that will maximize the return on their efforts.”Inga Goddijn, Executive Vice President, Risk Based Security
As consumers and organizations continue to adopt new technologies, sensitive data is more available than ever before and the consequences of a breach have risen dramatically. But even if your organization has taken steps to mitigate the impact of a breach, can the same be said about the third parties supporting your supply chain? Can you be sure that your third parties are taking the same precautions as you to protect your data?
A third party being breached can have serious implications where one organization’s compromise can lead to the compromise of others’ data held on that system. The most prominent example of this was the unfortunate breach at Blackbaud, where attackers gained access to hundreds of customers’ client data leading to a chain reaction of lawsuits.
Unfortunately, most organizations find out the hard way when they read the next day’s news headline. And even then, not all the important details can be found in the news. Like any kind of intelligence, it needs to be actionable.
With CRA, organizations can transform those headlines into actionable intelligence. For those 50,000+ data breaches contained in CRA, each breach has up to 68 attributes of rich metadata if they are known such as breach type, threat vectors, costs, and more. With this data, our clients are able to perform informed vendor due diligence and improve their vendor selection processes, prioritize security controls, and assist in mergers & acquisitions – all while continuously monitoring them and other organizations they care about the most.
Better Data Matters
Risk Based Security provides the world’s most comprehensive and timely vulnerability intelligence, breach data and risk ratings. These two major milestones in both VulnDB and Cyber Risk Analytics shows that it is possible to have both quality and quantity in data. A lot more can be said about both of our products, but we wanted to share and explain how these numbers translate into better outcomes and risk decisions. If you would like to learn more and see for yourself the impacts of better data, feel free to contact us.