Mind Your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises

Platon Kotzias (IMDEA Software Institute, Universidad Politécnica de Madrid), Leyla Bilge (Symantec Research Labs), Pierre-Antoine Vervier (Symantec Research Labs), Juan Caballero (IMDEA Software Institute)

Enterprises own a significant fraction of the hosts connected to the Internet and possess valuable assets, such as financial data and intellectual property, which may be targeted by attackers.
They suffer attacks that exploit unpatched hosts and install malware, resulting in breaches that may cost millions in damages. Despite the scale of this phenomenon, the threat and vulnerability landscape of enterprises remains under-studied. The security posture of enterprises remains unclear, and it's unknown whether enterprises are indeed more secure than consumer hosts.
To address these questions, we perform the largest and longest enterprise security study up to date. Our data covers nearly 3 years and is collected from 28K enterprises, belonging to 67 industries, which own 82M hosts and 73M public-facing servers.

Our measurements comprise of two parts: an analysis of the threat landscape and an analysis of the enterprise vulnerability patching behavior.
The threat landscape analysis first classifies low reputation files observed in enterprise hosts into families. Then, it measures, among others, that 91%--97% of the enterprises, 13%--41% of the enterprise hosts, encountered at least one malware or PUP file over the length of our study;
that enterprises encounter malware much more often than PUP; and that some industries like banks and consumer finances are doing notoriously better, achieving significantly lower malware and PUP encounter rates than the most-affected industries.
The vulnerability analysis examines the patching of 12 client-side and 112 server-side applications in enterprise hosts and servers. It measures, among others, that it takes over 6 months on average to patch 90% of the population across all vulnerabilities in the 12
client-side applications; that enterprise computers are faster to patch vulnerabilities compared to consumer hosts; and that the patching of server applications is much worse than the patching of client-side applications.