Press release

Tripwire Report: 1 in 4 Organizations Breached Because of Unpatched Vulnerabilities

Sponsored by Businesswire

(Infosecurity Europe, Stand #E50) – Tripwire,
, a leading global provider of security and compliance solutions
for enterprises and industrial organizations, today announced the
release of a new report on vulnerability management trends. The survey,
conducted by Dimensional Research in May 2019, included responses from
340 infosecurity professionals.

Tripwire evaluated how organizations are managing vulnerability risks
and found that more than one in four (27 percent) globally have been
breached as a result of unpatched vulnerabilities, with an even higher
rate in Europe (34 percent). Vulnerability management starts with
visibility of the attack surface, and Tripwire’s report found that 59
percent of global organizations are able to detect new hardware and
software on their networks within minutes or hours. However, this is a
difficult manual effort for many; almost half (47 percent) report that
less than half of their assets are discovered automatically, including
13 percent who don’t even use automatic discovery solutions.

“Finding vulnerabilities is just a part of an effective vulnerability
management program,” said Tim Erlin, vice president of product
management and strategy at Tripwire. “It’s important for organizations
to focus on building a program instead of deploying a tool.
Vulnerability management has to include asset discovery, prioritization,
and remediation workflows in order to be effective at reducing risk.”

In assessing the attack surface for vulnerabilities, 88 percent of
infosecurity professionals said they run vulnerability scans, but the
research found that organizations address vulnerabilities with varying
degrees of effectiveness. Compared with
a past report
, the use of authenticated scans has improved, with 63
percent saying they conduct authenticated scans as part of their
vulnerability assessment. Despite this progress, more than one-third (39
percent) are still not scanning weekly – or more often – as recommended
by industry standards.

Erlin added: “How you assess your environment for vulnerabilities is
important if you want to effectively reduce your risk. If you are not
doing authenticated vulnerability scans, or not using an agent, then you
are only giving yourself a partial picture of the vulnerability risk in
your environment. And if you’re not scanning for vulnerabilities
frequently enough, you’re missing new vulnerabilities that have been
discovered, and you may miss assets that tend to go on and off the
network, like traveling laptops.”

The ability to reduce vulnerability risks varies among organizations.
According to Tripwire’s report, 16 percent of U.S. organizations said
they only conduct vulnerability scans to meet compliance or other
requirements. This rate was higher for European organizations, at 21

“Meeting a regulation or compliance requirement does not necessarily
mean you’ve effectively managed your security risk,” Erlin concluded.
“Compliance requirements are most often about protecting someone other
than your organization. That might be the consumer or credit card
companies or another entity. Securing your business requires that you
define an acceptable level of risk and manage to that target.”

Fifty percent of infosecurity professionals said they conduct
vulnerability scans to reduce risk, but only have the bandwidth to focus
on high-severity vulnerabilities. Nearly all respondents indicated that
constraints like people and processes (78 percent) and budget (65
percent prevent them from addressing all of the vulnerabilities they
want to tackle.

To ease constraints for organizations with limited in-house
cybersecurity resources, Tripwire recently launched vulnerability
management as a service with an expansion of Tripwire®
. The company has also added additional service tiers
for Tripwire ExpertOps VM, offering more extensive analysis and
personalized consulting.

Tripwire is also announcing enhancements to Tripwire IP360™, its
enterprise-class vulnerability management solution. Tripwire IP360
version 9.1.0 will feature a new integrated user interface, improved
offline agent data collection, enhanced security features, improvements
to support robust configuration, and new capabilities for assessing data
at rest.

For more findings on Tripwire’s report, please visit:

For more information on Tripwire’s vulnerability management
capabilities, please visit:

About Tripwire

Tripwire is a leading provider of integrity assurance solutions that
improve security, compliance and IT operations in enterprises,
industrial organizations, service providers and government agencies.
Tripwire solutions are based on high-fidelity asset visibility and deep
endpoint intelligence combined with business context; together, these
solutions integrate and automate security and IT operations. Tripwire’s
enterprise-class portfolio includes file integrity monitoring,
configuration management, asset discovery, vulnerability management and
log collection that supports all widely used industry-standard

Learn more at,
get security news, trends and insights at,
or follow us on Twitter @TripwireInc.