Vulnerability management company Tenable is creating a new research alliance program designed to share information prior to vulnerability disclosures and reduce the window of opportunity threat actors have to exploit newly disclosed vulnerabilities.
According to the company, the Tenable Research Alliance Program allows security teams and system administrators to address attack paths and mitigate vulnerabilities before hackers are able to leverage the bugs and gain access into victim environments.
Beginning with five inaugural members Canonical, CIQ, GreyNoise and TuxCare [the new brand name for CloudLinux Enterprise services], the technology partners will share vulnerability details in accordance with Coordinated Vulnerability Disclosure (CVD) best practices to make it more likely that software scripts that find instances of the flaw to be developed, tested and deployed to coincide with public disclosure announcements.
According to the U.S. Cybersecurity and Infrastructure Security Agency, threat actors are able to exploit a vulnerability within 15 days of its discovery. However, a 2020 Tenable report found that 73% of vulnerabilities are still unpatched within 30 days of the first assessment, and about 54% still exist after 120 days.
The median time to assess all instances of a given vulnerability across a single organization is 29 days, and the median time to remediate all of those instances is 40 days, according to the Tenable report.
By giving organizations the same intelligence as threat actors and the tools they need to find and fix flaws, the Tenable Research Alliance program enables organizations to remediate their IT environments on day zero before any threat actors are able to search for vulnerable instances and exploit the flaws.
Robert Huber, chief security officer and head of research at Tenable, says the “dinner bell” sounds for both good and bad actors alike when a vulnerability is disclosed.
“We know threat actors are monitoring disclosure programs in the same way we are, looking for newly announced vulnerabilities, studying all available information such as proof of concepts, but they’re looking to utilize the flaw,” Huber says. “By giving our customers the tools to address these weaknesses when they’re publicly announced, we reduce that intelligence gap and hand the advantage back to the good guys.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!