Know Your Vulnerabilities: A SANS Continuous Monitoring Survey

Bethesda, Md. – The majority of IT professionals believe their continuous monitoring programs are mature or maturing (by maturing, we mean they are improving their continuous monitoring programs). Yet how often and how comprehensively they scan--and follow through with remediation--reveals a different picture, according to results of a new survey to be released by SANS Institute on October 28, 2015.

The results of the survey seem positive at first glance: 62% of respondents consider their asset identification and classification capabilities to be "mature" or "maturing" (meaning they are improving). But only 19% perform scans weekly, and 19% scan more frequently, resulting in only 38% of respondents meeting the current recommendations included in the CIS Critical Security Controls.

"Organizations institute scanning programs for a variety of reasons, including to comply with various regulations, reduce risk by reducing the attack surface, improve their abilities to identify assets and enhance visibility into their systems, to name a few," says David Hoelzer, SANS instructor and author of the survey. "But those results only arise from continuous monitoring programs that include all of an organization's assets."

Only 88% of public-facing systems and 64% of public-facing web apps are included in respondents' assessment and remediation programs.

Hoelzer continues, "In addition to not scanning the right assets frequently enough, organizations face the challenges of lack of trained staff, budgets and management support."

Results show that continuous monitoring does improve risk posture. Those who could measure improvements from their continuous monitoring programs point to improvements in their overall risk posture as a result of their continuous monitoring programs. Top improvements include increased visibility into enterprise systems and infrastructure, improved ability to accurately detect and remediate malicious events, and reduced attack surface enabling fewer incidents or breaches.

Full results will be shared during a Wednesday, October 28, 2015 webcast at 1 PM EDT, sponsored by AlienVault, Arbor Networks, HP, and Tenable Network Security, and hosted by SANS. Register to attend the webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS instructor and vulnerability expert, David Hoelzer.

Tweet This

The SANS Continuous Monitoring Survey Results Presented Oct. 28, 1 PM EDT. Register: #infosec

Continuous Monitoring Survey Results: Are you doing as well as you think? 10/28, #infosec #CMS

#CMS Survey shows many challenges to implementing successful programs. Learn more on 10/28. #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (