“Typical remediation rates for software vulnerabilities are at a mere 5 percent per month, while these remediation rates are significantly faster. In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MOVEit after just 42 days,” Bitsight said.
The cybersecurity firm attributed this to timely alerts by CISA. “Recent research found that CISA alerts tend to improve the likelihood of organizations rapidly remediating a given vulnerability; what we’re seeing with MOVEit could be a real-time example of this promising trend,” Bitsight said.
Bitsight also saw an increase in the adoption of patch versions soon after the announcement of each vulnerability, and a sharp decline in other versions. “This is great news, indicating that organizations are promptly moving from vulnerable to patched versions,” Bitsight said.
About 73% of government sector organizations were found to be remediated from the MOVEit vulnerabilities, while the manufacturing sector had at least 52% of organizations remediated. The business services sector had at least 46 percent of organizations remediated, according to the report.
Most impacted organizations were headquartered in the US and were mostly from the technology, government, and finance sectors, according to Bitsight.
The government or politics sector had higher remediation due to the prevalence of regulation and government mandates, Bitsight noted. “This sector is trusted with sensitive information — secret or otherwise sensitive government information; and personally identifiable information (PII). The breadth and scope of the data for which this sector is responsible could potentially be one reason why they prioritized remediation of these CVEs,” Bitsight said.