Research Insights from the 2025 Verizon DBIR: What You Need to Know to Secure Smarter

Ray Carney:

Awesome. Thanks, David. My name is Ray Carney. I'm the Senior Director of Research Special Operations here at Tenable. I'm joined today by my colleague Scott Caveza from the Research Special Operations team and Alex Pinto, who's an associate director at Verizon in charge of the production and delivery of the DBIR.

So, Alex, we started working together on this at the end of last summer, and for those that, I mean, I can't imagine anybody in the industry that's not familiar with the DBIR, but this year marked the 18th year that the DBIR was released. And, obviously, you have a little bit of a different flavor every year. But it's always one of the hallmark publications that come out. So maybe just take a minute and talk about what the motivation for the focus of the DBIR for this year was, and how we kind of got to working together on this.

Alex Pinto:

Yeah, sure. And thanks, Ray, thanks, folks, for having me here, and it's like you said, we started working last year, right? And we work together. We collaborated a lot on the 2025 issue that we released a couple of months ago. It's actually, yeah, couple of months and 2 days just before RSA.

But, really, so for any of the folks that haven't had a chance to have a look at the report, it's something that Verizon has been doing for 18 years. And so back in 2008, there was really… look, I'm gonna say, there was really a lack of understanding of what was going on in kind of the threat landscape. Look, I'm not sure we still know what's going on right now, either.

But there was a very immediate need for, okay, let's have a look at breach data. Let's have a look at what's happening. Try to categorize, try to paint a picture, and give some sort of direction to what's going on. And so this was 2008, and I haven't quite fact-checked this fully, but I believe this was the 1st instance of a company publishing a report about the actual data. Not just some sort of marketing paper, right? Of course, everybody does it today, which is fine, right in the sense that we always need more data, more understanding of what's going on. But really the reason why the DBIR continues to exist, and we still see a need to put it together, right? And it's something that is celebrated by the industry when it's launched because the DBIR is not about Verizon. It is about the industry. It's about the community, because all the data, the data that comes from Verizon, is just this teeny, tiny bit. And we talk to all the experts. We talk to all the lead companies in their specific areas. Right? We talk to law enforcement. We talk to the government. Everybody shares anonymized data with us, and then somehow we put the report together. Every year, there is a little bit of magic there. There is a little bit of mystery in the sense that we're not quite sure how we can pull this off.

But every year we're striving to have more coverage. We're striving to talk about more data breaches. And this year has another high watermark of over 12,000 data breaches that we analyzed and talked about, right? And that's really key here, right? We're not trying. This is not about Verizon. This is not about Verizon customers. This is about the whole world, or at least the slice of the world that we could reach by our relationships, our partnerships, and including, of course, Tenable here, who is very kindly hosting this webinar. And for this year, we had over a hundred, almost a hundred different contributors. If you can move to the next slide, Ray?

Oh, actually, no! You put it on. Did you put it on the end?

Ray Carney:

Yeah, it's a little bit later. There are a couple of slides on it.

Alex Pinto:

Oh, that's fine! That's fine! Do you want to kick off the key findings then, so we can talk a little bit more about, not on the report, but also the part that you guys played.

Ray Carney:

Yeah. So, I mean, like part of it. Once we understood, Alex, that this year's focus was going to be on the vectors for breaches, and that vulnerabilities were on the rise. And this, they'd certainly been enough of a contributing factor in the year prior that it kind of grabbed your interest. And, as I recall, you guys were looking for better data to understand, not only to understand, but to do what the DBIR does really well in explaining and providing an understanding of what's happening in the threat landscape.

And so when we started talking about that, we had some ideas that we worked on. But really, the key findings there were around the initial access vectors. And how we work together to really illuminate the reality of what those vectors were like. What were attackers doing that was being successful? And what were the areas that over the coming year we could be better at? And so, certainly, I don't think it's going to be any surprise to anybody in the industry that **credential abuse** is still really big, but coming in a very close second is the **exploitation of vulnerabilities** across the available attack surface.

The way that we tend to talk about this is, you think about where things fall on the threat triangle, and it's where capability meets opportunity. And that's really the focus of our team – we’re trying to understand where those opportunities exist and where they intersect with the capabilities that threat actors are leveraging.

Third, of course, **phishing** is always going to be big – makes sense. You know, security is a human problem, right? Your number one vulnerability is people.

But in our key findings, those were kind of the 3 top things. And then we started to look into how those things took shape. What was the timeframe in terms of how long did it take for things to become exploited from the moment they were discovered? You know, people talk about zero days a lot. Right? Well, a zero day is only a zero day for one day. Right after that, it's a known vulnerability. And you're just into that wash, rinse, repeat cycle of mitigate or remediate. Right? So certainly, you see a spike there as attackers look for those opportunities when new vulnerabilities become available, and new opportunities are created. But then, how long does it take the community of defenders to really react, respond, and remediate those things? So maybe you can talk a little bit about your interpretation of that, and how it fits into the bigger picture of the DBIR and the data that you have from all those contributors.

Alex Pinto:

Of course. So, like Ray suggested, the big thing here is that exportation of vulnerabilities might be second on that chart, there on top. But this comes from a sharp growth of two years in a row. Right? We already had something significant happen throughout the year of 2023, which was reported on the 2024 report, which had to do a lot with kind of like fire server management, vulnerabilities, things like the move. It got kind of all the although name recognition. But there were other similar ones as well. That happened at roughly. At the same time. We've contributed to this number going up and getting close to phishing, which we were already like. Oh, this is significant because phishing has been kind of stable for a while in our dataset.

But then this year it jumps again. And so we started looking at vulnerability data last year as not exactly vulnerability data, but vulnerability management data, because our 1st reaction was ‘Oh, the threat is getting worse.’ Clearly, there is an increased focus here. How are we doing as defenders, or what does it look like on the other side of this board as we're trying to keep up with all those different things? And as this trends continue, the ability we had to work with Ray and his team really expanded our view on how many different types of companies, and how many different kinds of vulnerabilities we could see.

So, the big focus that we did was on what we understood to be kind of the core problem throughout 2024, which was all those vulnerabilities targeting perimeter network perimeter devices, right? So kind of the big twist on the same formula that started happening in 2024 was that firewalls were being targeted. VPN concentrators are being targeted, right? So that old idea where? Well, I'm trying to figure out what I'm gonna patch first.

Maybe I don't need to patch this thing here internally immediately. I can put some other compensating controls around it, and I can focus on other things that might be more important.

But those are facing the Internet. You're not going to put another firewall on top of the firewall, because that firewall is going to be vulnerable, too. And then you just go like it's firewalls all the way down. If you try to think about that strategy. So, the focus, again, was that we understand **vulnerability management** as a discipline, right? And how does it help people using vulnerability management tools? Are they making the best decisions for themselves? Right, are they? Can they understand that this threat is more imminent right now, and that this is something that they have to tackle first? Right? And so, Figure 2 tells the story of this decision-making process because we found we selected the slice of 17 vulnerabilities, and Scott's going to be talking a little bit more about it later. Which were kind of emblematic of this kind of network perimeter focus.

And looking at those CVEs, right? Which, again, more than half were zero day, as I mean, as Ray was talking, really. And what we're focusing here, on zero day, is that you have vulnerability exploitation happening. Maybe the day of CVE being published, right? Or the vulnerability came first. Right? We're not trying to split hairs in the definition. But we found that 54% of companies fully remediated when they had one of those 17… they fully remediated those 17. So 54 might seem like a low number, or only half. But this is way better than the 30-ish percent that we had on if you look at the whole CIS KEV suite, right? This is a collection of vulnerabilities identified by CISA, which is widely used by Government agencies to identify those vulnerabilities they are required to patch. But the industry has kind of latched onto it as well.

And the 8%, if you look across the board of all the CVEs, so people were focusing on the right things, but still it took them a median of 32 days to accomplish patching all of it.

And so what you see on the bottom figure. There is a kind of distribution on how long it takes for people to patch, right? And so half of those people managed to patch before a month, but the other half – a big, big tail. You can see, you see, how unbalanced the chart is, right? It's really concentrated on the left side. But you get some very, very big numbers there at the end, right? Sometimes people are getting closer to a year on the vulnerabilities that were disclosed a long time ago, like in the beginning of the end of 2023, right? They were still sticking around. So that's kind of the picture that was kind of one of the dimensions that we're looking at to try to give guidance on.

Not, I mean, vulnerability is important. There are metrics. We can measure what we're doing. And you, as an organization, can compare yourself to those metrics. Again, we're talking about 400-ish companies that we were able to find a match with those 17 vulnerabilities, and they actually fully remediated.

And so, how do you measure? Can you do better than this? Maybe you should try to do better than this, right? Especially when we're talking about zero-day, potentially, exploits going on.

Ray Carney:

Awesome. Thanks, Alex.

So when we saw exploitation, obviously, that moves into another phase of the operational security cycle. So once you kind of got through that part of the DBIR, another big focus. And what you guys covered was the system intrusion from those initial access vectors. So maybe talk a little bit about that, Alex.

Alex Pinto:

Of course. So, one of the things we do on the report is that we categorize the types of breaches that we see. And so there's a very wide range of variables that we try to capture from what's going on. And it becomes cumbersome to describe a breach with. Oh, yeah, 1st they did a vulnerability, and then they deployed ransomware. And this is how long it took.

So, we have like 7 big umbrellas of things that look alike, and **system intrusion** is/has been the biggest one for a few years now, which is the idea. It's the kind of traditional cyber concept, if you think about it, of breaches where someone is breaking in through a vulnerability or even getting it through a credential. But they are really getting root or admin on the machine. They are installing malware. So they get control of the underlying server or the underlying workstation, whatever it might be, right? And that's in opposition to a different one that we have, which we call basic web application attacks. They're nothing. They're not nothing basic about them, right? But we have. We've been trying for 5 years now to find a better name for it.

But that one also includes the same types of activities. But there's no server compromise. So you can, in a way, own the application. You're able to extract data from it. You're able to do bad things to it, but you never quite control the underlying machines in this, but this can be enough depending on your objectives. So when we talk about system intrusion in the DBIR, this is absolutely, almost exclusively driven by **ransomware**. So it's there in the 1st line, 75% of our system. Intrusion breaches are ransomware, and so kind of the thing that we want to highlight, which is actually similar to findings of other reports. You might see in the market as well is that when you are just considering these types of breaches, the system intrusion ones, the exploitation of vulnerabilities, has actually overtaken credential abuse as the top initial access factor for a couple of years.

Now, right again, I go back here. Something I mentioned before, although there was movement in 2023. And now there are all these printed devices in 2024, right? So, if you're concerned about ransomware, which is kind of a stupid thing to say in the sense that ransomware has become so pervasive, and has become really agnostic as far as the size of your company. What industry are you in… So it's eventually something that everybody is up against, right? They're not really discriminating for targets. They're just going for anything that's kind of not nailed down to the ground, so to speak. So exponential probabilities are a top concern as a kind of way in and the way they are. So this kind of reinforces and talks to again. How significant this has been, how much success the attackers have been finding in this right and kind of showcases the challenges that we have as defenders, right, and as again prioritizing, choosing what we'll do first in strategy defense and figuring out other controls that we can use to try to help us keep the wave of vulnerabilities at bay.

Ray Carney:

Yeah. And Alex, that's one of the things that we talked about through this. You know, long collaboration was the different ways the different vectors that the actors use to deliver payloads, right? And one of the things we talked a lot about was the amount of gray area now, between your typical criminal ecosystem actor and a Nation State actor. And so, whereas a few years ago, you could think of ransomware as being completely just criminal-motivated. It was. It was dollar-driven. It was just people monetizing, and getting that sort of AOL mailer approach where you put as much stuff out there, and took as much back as you could on the ransomware. I think it's become much more strategic. And in fact, it's often that we see a part of the – think of it as a supply chain for Nation State operations, where it's funding some of those efforts, and it's harder and harder as we move forward to differentiate the criminal and the state. Sponsored or nation-state type of activity.

Any thoughts on that?

Alex Pinto:

Not, really. But I have a joke on an upcoming slide exactly about that. Awesome. But it's exactly… It's exactly what you said, it's very hard to differentiate. And the techniques are… They're closer together than you think. The capabilities are closer together than you think.

And you will still. And the, I think, a differentiator we still have today. Right is that nation-state actors will be more persistent, as in, if they have a mission. If they have something they need to do, they're not gonna stop at your kind of medium-to-good control environment, right? Most money-driven attackers will. Okay, we'll just move to the next one, right? But that's kind of that also is not so true, because again, most of this is automated anyway, today. So they just attack everybody at the same time and see. But anyway, that's still this. But apart from that, right, if you have some catching up to do.

Your exposure is fairly similar. The rest of my actors will use techniques that we would think, ‘oh yeah, this is just Nation State territory,’ maybe 5 to 10 years ago.

Ray Carney:

Awesome. So, as we mentioned earlier, there were. There were a lot of well, and every year, I mean, you guys have built an incredible network of contributors. And the amount of data that you guys take in from that collection of sources, and then distill into the report…It's a full-time job for a team on a year-long basis, right?

You know, you guys do a great job with that, and certainly I think it. It's great for the industry in that, as you start to work with the different partners. And you're looking at the trends coming out of 2025, thinking about what is the? What are the key problems, the things that the 2026 DBIR is gonna address? That's an ongoing evolution. So maybe, talk a little bit about what differentiated Tenable and data that we were able to do the things that drove our collaboration over the course of the past year.

Alex Pinto:

Yeah, I think the interesting thing about Tenable data for us was that, I mean, we were no strangers to vulnerability management data. We've had vulnerability management partners too for for a long time, right? And has been something we have worked with for quite a while.

But the breadth of the data, the sheer scale of the data that you folks were able to contribute, and we were able to work together. And also this. Again, how close together we worked, how much we collaborated, really made the difference that we could talk in a much deeper sense and much more proprietary, not proprietary, but with property, with certainty around. Those findings that we had right? I joked internally a little bit that I have, you know, I can analyze the biggest vulnerability data set in the world because not only do I have Tenable, but I also have some of the other top players.

But the collaboration that we did really, really made a difference in the sense again, of finding interesting findings – things that were interesting, is not quite the word I'm looking for, but that were timely and appropriate. And honing in on what mattered for the audience? Right? The most important thing when we write something on the DBIR is that we have to think, okay, so what? What is this number? I'm writing down? What is the sentencing? I'm writing down, going to help somebody take the next step or make the next decision, right? Or just regret that they were reading it, because they saw it was a terrible joke that was written down there. So it always has to have a purpose, right? The numbers have to have a purpose, right? And so this collaboration also helped us a lot. Given again, how much experience you guys have with this problem day-to-day…

Ray Carney:

Yeah.

And, so one of the things that you touched on there was the timely and accurate information. And for a long time, as an analyst, my credo is that my job is to provide timely and accurate information to decision makers, right? And that's real…. That's sort of the first tenet of our team, to the extent that we've created a decision science function where we're really focused on how we help people to make better decisions… This year, you became one of our customers in that.

And again working back and forth, understanding the kinds of problems or the kinds of questions that you were trying to answer us, being able to go and find the right data and then tune that to where we, in fact, we created some new questions along the way right and created, opportunity to go back over that. One of the things that happened in the course of this was the 25th anniversary of the CVE program last October. And we did some analysis around that in parallel to what we were doing, working with you. Scott drove that effort, and I’ll give him an opportunity to talk about that. One of the interesting data points that we saw. And I think this kind of shines through some of the findings, which in 2019, at the 20th anniversary of the CVE program, there were 144,000 registered. CVEs, Okay?

Now, in 2025, or 2024, the 25th anniversary of the program, we had doubled that number. We were now at nominally 244,000 CVEs, so just shy of doubling that number over a 5-year period. And so that really kind of highlights the prioritization problem that we've talked about with just the scale of vulnerabilities that people are having to address within their environments. And how do you boil that down right? So, being able to take that number from 280,000 vulnerabilities across 244,000 CVEs, not counting other ways that exposures occur through leaked credentials, misconfigurations, and those kinds of things. The sheer scale of the problem and being able to boil it down to a focused group of less than 20 CVEs.

Again, we analyzed a tremendous amount of data to get down to that and help focus on those areas that we believed we'd be able to show to be the most impactful. So, Scott, maybe you could introduce yourself and talk a little bit about the analysis that we did on our side that helped to enable Alex and his team.

Scott Caveza:

Yeah, absolutely, thanks. Ray, Scott Caveza here, part of the research special operations team. And yeah, when we began this journey, we started asking ourselves, what insights can the data provide? What's the story that the data is going to tell us? And as you alluded to, we were working with Alex and the team, and trying, we kept coming up with new questions, new ways of how we are going to analyze this data.

To that end, over 160 million data points were looked at to gather these insights, across the past year. So we want to know what remediation, right? Remediation rates, looking specifically at what trends we observe when we drill down by industry. Verticals compare and contrast the kind of remediation rates between CISA. KEV CVEs and those that were not on the KEV, and I mean, I think everyone's familiar with the known exploitable vulnerability (KEV) list that the US. Cybersecurity and Infrastructure Agency (CISA) maintains.

As we got closer to the publication date, we were looking at the list of the 17 edge device CVEs that were highlighted in DBIR. So as the name implies, those are network edge devices, those things that sit publicly facing, typically your SSL. VPNs, your firewalls. You know, as Alex mentioned before, the devices that are by nature publicly accessible pose the greatest risk to your attack surface. Right? They're sitting out there on the edge. Those are the things that are ideally being patched quickly, or vendor mitigations are being applied when patching is not immediately feasible.

But yeah, we wanted to dive further into those CVEs and kind of do some more analysis on that.

So, if we want to go to the next slide. So here's that list of the 17 CVEs, and vendor and product, just to kind of break down what you'll see. And obviously, as we mentioned, these are SSL VPNs and network gateways, things that you probably recognize the names of these devices, and you probably recognize some of these from publications we posted on tedball.com slash blog as part of our research alerts to kind of highlight some of these vulnerabilities throughout the year, and abuse and exploitation of them.

So I think we mentioned previously on the previous slides that exploitation was present in 20% of breaches. So I think 34% year-over-year gain, and it's just kind of again showcasing that the common problem of these things that are unpatched and remain. You know as entry points for attackers and malicious actors.

Alex Pinto:

Yeah. So here's the joke. Here's the joke, right? While you guys weren't looking, I actually switched nation state and criminal actors. Can anybody tell – I didn't switch them. But what I mean.

A Bunch of vulnerabilities, bunches of different bunches of vulnerabilities… Makes no difference. Right? You still have the same core problem of having to handle the vulnerabilities themselves. Right? The things are aligning. Things are getting closer, you need to think, and it's helpful to think more defense-centric than properly. You know. What does the attacker look like in many cases?

Ray Carney:

Yeah. And it's kind of funny. Because, Alex, you and I, well, all of us really have been around long enough to remember when attribution was king. Right? You had to know who… Right? And I can't tell you. You know how many times I've soapboxed around.

Hey? We don't have any law enforcement or diplomatic capability in our role. So, who doesn't matter? I want to understand what and how, so that I can better defend against it. And that's really what it comes down to. So at the end of the day, there, there's only maybe a small slice of the defensive community where the differentiation, the attribution to a nation state or a criminal actor, really, is that that number one attribute?

I don't. I don't want to downplay it. But you know, I think, that who and what is, is far more (or than how, and what is), is far more important sometimes than who.

Scott Caveza:

Yeah, and it's very intentional not to list out the threat actors here. Because again, it really doesn't matter, right? The one interesting overlap was 202-34-8788 SQL. Injection, vulnerability in Fortinet, which we saw on both sides. You know, both nation-state actors and criminal actors, those financially motivated groups, ransomware extortion groups. But yeah, it really doesn't matter, right? The attackers are going to look for what is widely available as far as exploits. And what's a popular target? Was everybody running? If there's a critical exploit in the entry point to your network, these are. I mean, this is top-level stuff, right for a thread actor. And by nature, some of these devices may be difficult to patch. Right? You may not have this is a secondary device to fall back to when you're patching. You're probably scheduling downtime. And at some point in the future, when these things are, half of these were exploited zero days.

The rest. It happened probably shortly after patches were released, and it could have been days, weeks, or hours. In some cases, exploitation is seen, and, as you mentioned, it's a zero-day for a short period of time, and then it's a known vulnerability. And those exploit kits are very quickly adapted to include these new vulnerabilities.

Ray Carney:

So it is interesting…

Scott Caveza:

But dynamic to see.

Ray Carney:

Yep.

So go ahead.

Well, I was gonna say, Scott, so again, as we've talked about, our team is really focused on trying to get things to the bottom of the funnel and focus customers and the constituencies on the things that matter most right now. ‘If you could only do one thing today, what's the one thing you need to do? If you could do 5 things. What are those 5 things? Do those 5? I'll give you more…’ But we're trying to get this down to a scale that most of our customers can effectively deal with and make sure that we're dealing, not with the thousands or tens of thousands, but with the ones and tens, right? So maybe talk a little bit about operationally. How do we address that day-to-day within our team.

Scott Caveza:

Yeah, as a segue to that, too. Right? Like, we were only looking at focusing on those 17 CVEs, that's just 17 out of as of this morning, 1,367 CVEs in the CISA KEV. That's an insurmountable number of vulnerabilities to address. So we're, if we said, Okay, you've got a thousand critical CVEs. Go, patch all of these. It's an impossible task. Right? So as Ray, you mentioned, how do we narrow that down to the things that are the top of the funnel, like what's the most important? And that is an aspect of what we do on a day-to-day basis here for our team of building kind of that contextual data intelligence around CVEs and kind of breaking these down into what are, what are the things that you could do today that are going to have the most impact? Or what are the vulnerabilities today that are the highest priority based off of exploitation based on what's happening in the threat landscape. As the saying goes, context is key. And that's kind of the key to what we're trying to do on a day-to-day basis.

So, at this top screenshot, you see, the **6 emergent threads** in these, which we classify into one of three buckets. The vulnerability being monitored, vulnerability of interest, and vulnerability of concern, kind of going in order of severity. So vulnerability being monitored, being those things that are of interest because of past exploitation. Maybe there's no exploitation known, no proof of concept yet, but it's in one of these high-value targets that has seen past exploitation.

And sometimes you'll see some of these vendor advisories where they're kind of posting some hints about how severe this is… Some of the language they use to kind of showcase, like: ‘Do this. Now, patch this now.’

Ray Carney:

One day.

It's a pattern within the data that we have the the data that we're working with on a daily basis. This fits the pattern of something that we think is on a trajectory.

Scott Caveza:

Exactly, exactly in some of these. You see, it's like, okay, this is very similar to what we've seen in the past. It was exploited very quickly. Time to throw up the bat signal with a warning. This is something to prioritize.

From there, we go to that **vulnerability of interest**. These things are probably, the next level kind of an emergent threat. So, things that may have proof of concept, or there are enough details around it, say in a blog post from whoever disclosed the vulnerability to the vendor, where a proof of concept could be built quite easily, or it's an emergent threat – like we can look at it again and say, based off the data we've analyzed previously or based off past exploitation. This is something that is either actively exploited or going to be actively exploited within hours or days.

And then we climb the ladder one more time. **Vulnerabilities of concern**. This is the large scale. This is your Log4Shell vulnerability. The things that are gonna have a wide industry impact. Well, even a worldwide impact. Right? It doesn't matter what industry you're in. If you have this software, it's easily exploitable.

Chances are, by the time patches are released, or by the time people are discussing it. It may already be too late, like, now you're looking at. Okay, these are the signs we need to look for – signs of compromise. Or, hey, it's a matter of hours. If we don't either get this thing, patch, apply mitigations, take it offline, or likely the target… and these are the more rare things most of the time. We're going to see things in that vulnerability-of-interest stage. But again, these things can shift and move, depending on what's happening in an ever-evolving threat landscape.

Ray Carney:

Well, and Scott, I'll say our goal there is to give as much advance warning for the things that are trending towards impact as possible. Right again, we're providing that timely and accurate information, showing people where they're they're most likely to see impacts.

And again, based on the data and observable evidence. Right? We spend a significant portion of our time not only working with the data that we've collected, but the new data that we're observing in the landscape like, what's happening in the landscape on a day-to-day basis, how do we contextualize that and pass it through so that people have an opportunity to respond versus react. I know that's nuanced. But it's something I talk about and think about a lot. You know my days in the military. We spent a lot of time drilling and creating that muscle memory where we were prepared to respond and not just react to a thing that happened, right? And that's really what we're trying to do here. Provide that sort of pipeline of information, so that people feel comfortable, that they're getting the right kind of contextual intelligence and insight into the things that are most likely to impact them. And we're just continuing as we did, working with Alex and his team over the past year. We're constantly looking at the results of our analyses and figuring out how we can pipe them back into the product to provide better insights, not only to our partner organizations like Verizon and the DBIR that they're producing. But for all of our customers as they go through their day-to-day in their environments.

Scott Caveza:

Absolutely, as we talked about. Right? If you look solely at the KEV, if that was your priority list, there are over 1,300 CVEs.

How can we narrow that down? And again, six emergent threats, more manageable things that can be done in a timely manner. And again, to your point of being proactive and addressing these things before you react to them. Right? Let's be proactive. Let's address these things before it's too late! It's it's now. The next stage.

Ray Carney:

So what's next? I mean, we've provided a lot of insight here, and obviously, the DBIRs out there. Hopefully, people have had an opportunity to read, consume, and consider that.

We did some corollary publications around the 17 focal point vulnerabilities. Alex, I think that you said that the amount of data that we gave you for those just, logically, didn't fit within the context of the DBIR. So we had a lot that… we still had to say that went beyond the message. And so we did that corollary publication. But, as we go on, from the Webinar, and our daily lives as defenders. Scott, what's next?

Scott Caveza:

Yeah, I mean, the threat. Landscape continues to evolve, right? We've got new and old vulnerabilities still being exploited by a variety of threat actors, both financially motivated and those nation-state groups. And as we focused here on those edge devices in the attacker's crosshairs. It's those things that are entry points to the network.

And through that data analysis, we really focused on. You know, the remediation rates across those. And, there's a list of industries here that were among the top 5 as far as the longest remediation across all CVEs. And it's not to point fingers and say, Do better. This is just an analysis of the data to say, Okay, well, where are we getting it? Right? Where could? Where's the room for improvement?

And, surprisingly, to see some of these in here. You know, you, you focus on what's kind of trending. And you think it's okay. It's health care. It's the government. Those industries are constantly in the news. But there's a wide range of organizations that are doing great, and some that could improve. So it's again just an interesting analysis to see. And we kind of… we use this as a guide point next year to see. You know, how does this… How does this change?

Ray Carney:

Right. You measure it over time, measure it year over year. Make sure you're trending in the right direction. So.

Scott Caveza:

Absolutely. And as we always talk about, right, effective security is kind of a proactive approach, like using the data available, the tools available.

As we highlighted what we have to offer here from Tenable's vulnerability management standpoint, data like reports like the DBIR are great tools to analyze. Where are the trends? Where's the threat landscape going? And they help you determine how to prioritize and organize those key assets that you have to protect.

I kind of loosely talked about determining that prioritization model. I mean, some people use CISA KEV, some are going based on CVSS. Scores VPR (from us as well). Whatever that model is going to be. You know, our goal is to try and narrow that down even further, and say, here's the things that you could address today that are going to give you the most likelihood of keeping you off that breach list, and again, make a plan, test it, continue to improve.

At this, it changes daily. Right? Security is not static, it's not. We have this plan. We patch once every week. Right? It's continuous. You continuously improve, you get better. There's no perfect solution, and there's no end to the number of CVEs, as you mentioned before. I mean, we've nearly doubled in 5 years. That trend is likely to continue.

You know you've got a fire hose you're trying to drink out of. How do you? How do you get it down to a straw?

Ray Carney:

100%.

So we spent 40 minutes of the last 45 minutes talking about us and what we've been doing, David. Can we open it up for Q&A and see what the community would like to hear?

Tenable Webinars Team:

Yes, we've received one question from Paul Rosanowski. I will read it to you, but you guys can also see it. Paul says, “I've come across a few vulnerabilities that have a high EPSS score, but the exploitability ease is 'No known exploits are available’. Some examples of this are plugins 62694, 83738, and 65821. How can a vulnerability have such a high EPSS score while it's also being reported that it isn't being actively exploited?”

Ray Carney:

I mean, look, I'll take a shot at that, Paul. Great question. And I'm not trying to dodge this or throw shade at any model. But it's a really difficult question to answer, because the model for the EPSS is not exposed. We don't know what the key influencing factors are for the EPSS score, or why they're rating a thing so highly exploitable when the observable evidence and the intelligence that we have about that, in other words, ‘is there a viable proof of concept out there?’ ‘Have we seen any exploitation?’

We constantly compare; we actually have a data set that we look at on a regular basis that compares all three versions of CVSS with the 2 versions of VPR: VPR 1.0 and VPR 2.0, and the EPSS model. And we try to reconcile those. And we try to understand based on the data that's available to us, why the deltas might be there. Some of these things are just still not explainable, because we don't have enough understanding about how those scores, particularly with the EPSS, are calculated. How are those scores being generated?

Alex Pinto:

Yeah, if I can add, I mean, it's not going to be helpful. What I'm going to add here. But so the “P” (in EPSS) stands for “probabilistic.” I think so. There's that right. There's always kind of like, oh, there's a chance this looks like something else that has been exploited recently, and it also, again, might not help. But the guy who created EPSS is a personal friend. He's one of the most talented security data scientists I've ever collaborated with in my life.

So I know he's trying to be right at the very least. But I cannot speak to the quality of the model. I do not understand it. I haven't researched it.

But it's just like Ray said, right? It's in one. I guess I am assuming here. But I assume that one of the reasons why Tenable carries this score forward as well in their data is because, hey, I'm giving you more data points to help make this decision. So maybe this looks very… like there's nothing going on here. But if you can interpret it through the lens of ‘If someone really wanted to develop a vulnerability or an exploit here, it wouldn't be that hard.’ That could be something that you are using as a decision point, right?

But again, most likely than not, you have a thousand other things that you should have patched like last week. So you're gonna do all of those first at the end of the day. But it's important again. I don't think it hurts, but there are a lot of unknowns there. And again, models like what was the all models are wrong. Some models are useful, right? That's kind of where we are. Everywhere to be perfect, not just with the Pss.

Ray Carney:

Yeah. And, I think one of the things for us, Alex, is when we think about CVSS scores, which are highly (in a lot of regards), highly theoretical. Okay, we look at predictive models, whether it be VPR, EPSS, okay? And then we look at direct observation, like, actually, what's the observable evidence around things that we have? Right? It's like, what's the best way to predict the weather? Open the door and go outside. Right. Is it hot? Is it wet? You know you've got the weather rock that sits outside your door, right? But that's where we're trying to see… do those things all coincide? Are the models in agreement? Are the CVSS and the EPSS, the VPR, and the observable evidence in agreement?

Those are the things that tend to get elevated to the small group of the ones and tens that we're focusing on, along with all the contextual data that drives that. But, Paul, just to tie off, I mean, look, you're asking a question that we ask ourselves on a daily basis. We don't always have the answers, but we don't stop asking the questions. We continue to try to pull the thread and have conversations, whether it's with CISA, FIRST, or other people in the industry like Verizon, to better understand what these models mean. What can we take from them? And what's our confidence in the different sources as we try to be a guidepost for all the people who are consuming our intelligence.

Tenable Webinars Team:

All right. There are 2 more questions. The next one is from Dan Watkins, he says. Do you think bad actors are reading the DBIR and tuning their attacks accordingly? Do you think this tool is providing more value to the good guys than the bad?

Ray Carney:

You're on mute, Alex.

Alex Pinto:

Yeah, I was gonna say, I love, I love this question because I have an anecdote about this question. So, one of the findings we had this year was about the kind and amount of ransom being paid going down in relation to the year prior. And we talked to a bunch of SMEs… Okay, what's going on here? What do you think it is? What? What would be your explanation for it. And they said, Oh, less people are paying the ransom. And this is something we could verify with independent data that we had right?

So we had maybe 50ish percent of people who didn't pay the ransom. Again, this is a subset of all the ransomware events that happened. These are those who have engaged with ransom negotiation companies—two years ago, 50% didn’t pay, last year, it was like 64% didn't pay. And we're like, Huh!

I wonder if the data being encrypted or not makes a difference? And it did. If the data wasn't encrypted, fewer people paid, even than if the data was encrypted.

And so we looked at that number. And we said, You know what we're not gonna print that… We're not gonna put that in the DBIR, because that's gonna… Maybe people will get the idea, ‘Well, maybe we should be encrypting more than.’

And so the punchline, which is not funny at all, is that we didn't publish it. But you are seeing now a huge trend of people doubling down on encryption, and not only encryption, but purposeful encryption that will cause business interruption on companies. Right? We've seen this headline being played over and over again with different companies, which is, ‘such and such we put in the UK, cannot operate. And then there was the supply chain, the food supply chain company in the US that supplies Trader Joe's and Whole Foods. Right? So, ransomware operators are really doubling down on the business interruption as a kind of leverage to get people to pay more ransom. But we didn't tell them that, right? We stopped short of telling them that.

But to answer your real question, we have found that talking to companies really helps people when they're reading the report to have some sort of defendable basis in reality, or at least the closest thing to reality that we can gather given how incomplete security data is. To really make decisions – forward-looking decisions, right? People will actively tune how much they're spending based on the trends that the DBIR shows.

And it is, it has shown, proven itself to be a very useful communication tool with the Board.

Right? So, ‘Oh, I need more funding. I need to talk to the CEO. I need… We need this specifically. Oh, why do we keep investing in fishing protection? We do this every year. Haven't? Haven't we fixed this already? Look, it's 16% has been 16% for the past 10 years.’ So yeah, we have to continue doing this because it continues to be a threat. Right? I think it helps shape the understanding.

And yeah, it could work both ways. But my counterargument to you is that the. I do not believe that the techniques used by hackers have changed that much over the past few years. They have refined right? And so people continue to go for ransomware because ransomware is what pays is incredibly effective way of monetizing a reach right on the on on a similar vein. The BC. Are not even need. Maybe they may easily have a compromise, just like the, like, fake it like, get a wire transfer going incredibly efficient, incredibly cheap, right? I don't think there's much. I think they're they're much better optimizing their investment than we are, at the end of the day. Right? And so we can. We? We need any help we can get. You know what I mean.

Ray Carney:

I 100% agree. And Alex, I think my short answer to that question is that the bad guys don't need us to tell them what's working. They know very well. Okay, and , in a lot of ways to to your point, I think that the the criminal enterprise and and make no mistake. It is an enterprise. They they've done a lot better job. , starting to adopt business principles and operate strategically and refine their. You know, there's their own supply chains and pipelines. I've done a lot of work, , looking at the ecosystem, right? So trust me. The bad guys don't need us to tell them what's working.

Tenable Webinars Team:

Well, looks like We've reached the top of the hour, Ray. There are still some questions, and I think we should send a direct answer to David Myers. Do you guys have any closing comments that you'd like to make?

Ray Carney:

Well, for me, Alex, thanks for the great partnership over the past year. It's been a real pleasure working with your team. And I'm looking forward to continuing to work together. You know, as we've discussed recently, we're already working on some new questions and looking at those kinds of insights that might make their way into the DBIR next year, as we start to, together, see how the landscape evolves.

But for everybody that's been here, thanks so much, we really appreciate the time.

Alex Pinto:

Yeah, same here and again. Appreciate. Have appreciate you having me.

Ray Carney:

Awesome.