Skybox Security releases mid-year update to its 2019 Vulnerability and Threat Trends Report, analysing what’s shaping the threat landscape so far this year.

Report Highlights from 2019 H1

  • Vulnerabilities in cloud containers have increased by 46 percent compared to the same period in 2018 and by 240 percent compared to 2017
  • Less than one percent of newly published vulnerabilities were exploited in the wild, with nine percent having any functioning exploit developed at all
  • 2019 has added to the trend of broad-reaching vulnerabilities that impact multiple products sharing the same code, with 40 vulnerabilities affecting three or more vendors each
  • Use of malicious cryptominers — cybercriminals’ overwhelming tool of choice in 2018 — has declined to just 15 percent of malware attacks, with ransomware, botnets and backdoors rising to fill the void

Skybox Security, a globally renowned cybersecurity management solutions firm, has announced the release of the mid-year update to its 2019 Vulnerability and Threat Trends Report, analysing the vulnerabilities, exploits and threats in play over the first half of 2019. The report, compiled by the team of security analysts at the Skybox Research Lab, aims to help organisations align their security strategy with the reality of the current threat landscape.

The report aims to help organisations align their security strategy with the reality of the current threat landscape

Adoption of cloud technology

Among the key findings of the report is the marked growth of vulnerabilities in cloud containers. Containers, which create a distinction between virtual servers hosted on a shared machine, have seen vulnerabilities increase by 46 percent in the first half of 2019 compared to the same period in 2018, and 240 percent compared to 2017 H1 figures.

Cloud technology and adoption has obviously skyrocketed, so it’s no surprise that vulnerabilities within cloud technology will increase,” said Skybox Director of Threat Intelligence Marina Kidron.

Enhanced cyber security

What is concerning, though, is that as these are published, the race is on for attackers to develop an exploit because launching a successful attack on a container could have much broader consequences. Compared to other technology, containers can be more numerous and quickly replicated. The attack footprint could expand rapidly, and number of victims may be extremely high.

Container vendors put a great deal of attention to securing their products in the first place,” said Amrit Williams, VP of products. “But that also means reporting vulnerabilities when discovered. It’s critical that customers have a way to spot those vulnerabilities even as their environment may be changing frequently. They also need to assess those vulnerabilities’ exploitability and exposure within the hybrid network and prioritise them alongside vulnerabilities from the rest of the environment — on prem, virtual networks and other clouds.

Vulnerabilities in cloud container

Still the current figures are historically high, and it seems annual totals around 15,000 new CVEs will be the new norm

Also notable in the report is a decline in the total number of vulnerabilities published. Over the last two years, the total number of new vulnerabilities has outstretched any other previous year. However, the number of vulnerability reports in 2019 H1 declined by 13 percent when compared to the same period last year. Still the current figures are historically high, and it seems annual totals around 15,000 new CVEs will be the new norm.

More than 7,000 new vulnerabilities were discovered in the first half of 2019 — that’s still significantly more than figures we’d see for an entire year pre-2017. So, organisations are likely still going to be drowning in the vulnerability flood for some time,” said Ron Davidson, Skybox CTO and VP of R&D. “Roughly a tenth of these have an exploit available and just one percent are exploited in the wild. That’s why it’s so critical to weave in threat intelligence into prioritisation methods, and of course consider which vulnerable assets are exposed and unprotected by security controls.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

What is the biggest change in the security industry since 2010?
What is the biggest change in the security industry since 2010?

Ten years is a long time, but it seems to pass in an instant in the world of security. In terms of technology, 2010 is ages ago. Changes in the market have been transformative during that decade, and we called on our Expert Panel Roundtable to highlight some of those changes. We asked this week’s panelists: What was the biggest change in the security industry in the 2010-2019 decade?  

SIA composing code of conduct for U.K. private security, seeking comments
SIA composing code of conduct for U.K. private security, seeking comments

The Private Security Industry Act of 2001 gives the Security Industry Authority (SIA) the function of setting standards of conduct in the United Kingdom’s private security industry. Time is winding down to provide input during the SIA’s six-week consultation on a new draft code of conduct for SIA licence holders and applicants for SIA licences. The authority is inviting the industry, licence holders, and anyone with an interest in private security to have their say on the draft code of conduct by taking part in a survey. The consultation will end on 23 February.   “The ethos of the code of conduct is that it will improve standards and public safety by setting out the standards of conduct and behaviour we expect people to uphold if they are entrusted with protecting the public, premises and property,” says Ian Todd, Chief Executive, Security Industry Authority (SIA). Security's Code of Conduct A code of conduct sets out what standards of behaviour professionals have to meet in order to work in the profession In security as in many professions, a code of conduct sets out what standards of behaviour professionals have to meet in order to work in the profession. SIA is suggesting Six Commitments of behaviour that will apply to all licensed security operatives and to applicants. If the code of conduct is sanctioned by the U.K. Home Office, it would become mandatory and incorporated into SIA’s licensing criteria Get Licensed. A commitment to certain standards of behaviour is fundamental to what it means to be fit and proper, and to being part of a profession. The six commitments are: Act with honesty and integrity Be trustworthy Protect the people and property you are entrusted to protect Be professional at work Act with fairness and impartiality at work Be accountable for your decisions and actions “We will review the comments from the consultation once it concludes on 23 February, analyse the results and publish a report on our findings,” says Todd. “The SIA will then use the comments it has received to write a final version of the code of conduct. The introduction of a code of conduct will be subject to final approval by Home Office Ministers.” SIA’s current Standards of Behaviour provide guidance on professional behaviour but are not mandatory. The draft code of conduct builds on the Standards of Behaviour. Upholding SIA's Standards The SIA’s Partnership and Interventions team is the unit that enforces the Private Security Industry Act “The majority of licence holders uphold the standards of behaviour that the SIA, their employers and the public expect of them,” says Todd. “Their professionalism and dedication keep the public safe and tackle crime. However, there are incidents in which some licence holders do not behave in this way. This minority lower the standard of service the public receives, harm public safety, and bring themselves and the rest of the private security industry into disrepute.” The SIA’s Partnership and Interventions team is the unit that enforces the Private Security Industry Act. It is likely that they will be required to enforce the code of conduct should it become mandatory. The draft code of conduct is currently out for consultation and the proposal has been shared widely to licence holders, private security businesses, and enforcement partners encouraging them all to take part. “Once the consultation has concluded, we will analyse the findings from the feedback, produce a report and publish it on our website and share this widely via social media,” says Todd.

Satisfaction criteria differ for DIY vs. pro-install companies, says J.D. Power
Satisfaction criteria differ for DIY vs. pro-install companies, says J.D. Power

J.D. Power is a well-known name when it comes to measuring customer satisfaction, and they have been measuring satisfaction in the home security industry since 2016. Changes affecting the marketplace – both in terms of disruptors and technology – make this a unique time. For example, in 2019, J.D. Power expanded the Home Security Satisfaction Study to not only measure the traditional pro-install/pro-monitor companies, but to separately evaluate self-install/pro-monitor brands.  “At J.D. Power our rankings are meant to support an industry in two key ways,” says Christina Cooley, J.D. Power's Director, @Home Intelligence. “First, we provide consumers who are shopping for products and services with a ‘report card’ of who provides customers with high levels of customer satisfaction. Second, we provide companies with actionable insights to help them prioritise their initiatives to improve and maintain high levels of customers satisfaction that drive loyalty and growth.” Differentiating between companies The traditional Pro-Install/Pro-Monitor companies are challenged to differentiate from one another In home security, J.D. Power is in a unique position to report on the changes taking place in the evolving industry. The 2019 rankings show that the traditional Pro-Install/Pro-Monitor companies are challenged to differentiate from one another, as each have their individual strengths and opportunities, but overall the score range is relatively tight. On the do-it-yourself (DIY) side, there is more differentiation. A set of brands has been able to challenge the traditional industry by achieving extremely high customer satisfaction levels. Price is always an important factor that impacts customer satisfaction, whether for security or another market J.D. Power serves. The equation is simple, says Cooley: does the price paid equal the value the customer feels they have received from the product or service? “For Home Security, we didn’t specifically look at price until this year,” says Cooley. “With the changes that have occurred in the market, price can be a differentiator as we’ve seen with the emergence of DIY-installed systems. However, lower pricing does not have a direct relationship to quality of service.” The price factor For example, there are some higher-priced pro-installed brands that perform lower on customer satisfaction than lower-priced competitors. And DIY-installed systems as a whole are less expensive, and price is the customer satisfaction driver in which the DIY segment most outperforms the pro segment. Price is the customer satisfaction driver in which the DIY segment most outperforms the pro segment The equation is: performance minus Expectations equals Customer Satisfaction. “Obviously, price point will be a factor in the purchase decision and the expectations the customer has about the product and service,” says Cooley. “Any pro or DIY system has the opportunity to differentiate the customer experience regardless of price point.” There are clear differences in the pro vs. DIY experience, which is why J.D. Power evaluates the brands in separate rankings. However, Cooley says the drivers of satisfaction are consistent across both groups. The key to each group goes back to the equation above.  Evaluating the purchase process For the both pro and DIY companies, J.D. Power evaluates the purchase process the same. Though the customer may take a different path to purchase based on the offering they seek, the drivers are still the same: Usefulness of information provided Reasonableness of contract terms Professionalism of sales representative Ease of purchasing home security system. For installation, there are clear differences. DIY systems are evaluated based on: Ease of completing installation Quality of installation instructions provided Timeliness of receiving home security system. Pro systems are evaluated based on: Professionalism of technician Timeliness of completing installation Quality of work performed. Interestingly, purchase and installation are the customer satisfaction driver where both pro and DIY providers (as a whole) are most closely aligned on performance. Customer loyalty The price a customer is paying must align with the quality of the system they receive What drives a customer to purchase a home security system initially will often be very different than what will keep them as a loyal customer, Cooley notes. The price a customer is paying must align with the quality of the system they receive, and the service provided through the professional monitoring and customer service. “With the expansion of home security offerings, it’s more important than ever for home security companies to understand the motivations, intentions, and usage patterns across different customer segments to ensure that regardless of the decision to go pro or DIY-install, they are able to meet their customers’ needs and differentiate in the very competitive market. The J.D. Power Home Security Study provides these actionable insights.” The study is focused on the companies/brands that comprise the top two-thirds of market share in each segment, pro and DIY installed. A number of the brands included may work with local dealers or retailers for sales and install, but the customer is essentially evaluating those services as part of the system purchased. It is one and the same from the customer’s perspective, and the sales/install process can either delight or frustrate a customer from the beginning, which can then set the foundation for the entire experience moving forward. Reasons for shopping for a security system tend to differ between pro and DIY shoppers: Both sets are most focused on wanting a newer, more up-to-date system Between the two, pro customers are more often moving into a new home or wanting to take advantage of a discount or bundling opportunity with other products For DIY customers, they are shopping for a system to give them more peace of mind and to protect their property. Reasons for selecting the provider also vary: A pro company is often selected based on brand reputation or a special offer/promo A DIY company is primarily chosen based on price or a positive review. In terms of brand image, we see that customers see both pro and DIY providers similarly in terms of reliability. However, when it comes to being customer-driven, DIY providers receive higher image ratings compared to pro-installed companies.