Two interesting observations:
The average number of days that attackers were present on a victim’s network before being discovered is 146 days. (FireEye)
At Threat Stack, we have observed that a majority of the market is moving toward automated security vulnerability and configuration scanning.
You would be hard pressed to come by a compliance framework that did not require you to have a system to detect and manage vulnerabilities. Vulnerabilities are as old as technology itself, so to call yourself compliant, you first need to demonstrate that you have a sound vulnerability management program in place.
Vulnerability management systems identify common vulnerabilities and exposures (also known as CVEs), alerting you when a server or package is at risk so you can patch it immediately.
Simply by having a vulnerability management program in place, you can often satisfy many other major compliance requirements. In this post, we’ll explain how vulnerability management helps you to become compliant.