Fixing The Patch Problem
Many companies are patching systems more slowly than in the past. Using a service that packages fixes can speed updates and give businesses a better chance of closing security holes
Before joining IBM's security division, Dave Merrill handled the company's strategy for securing its desktops and laptops. In that role, Merrill saw the major problems in patching endpoint systems.
With application and operating-system vendors releasing a constant stream of security fixes and a lack of maturity among update services, managing the patch process was nearly impossible. More than a third of systems were missing a critical patch, but the company did not, at the time, have the visibility to find and fix the issues. Searching for a solution to the problem resulted in, among other things, IBM purchasing endpoint monitoring and patch management service BigFix in 2010.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
Many companies are still wrestling with similar problems, says Merrill, now a senior technical staff member in IBM's security division.
"I was seeing the security issues that were the result of inadequate patching," Merrill says. "We were not patching fast enough and patches were not accurate enough to successfully fend off attacks."
Today, the problems persist and may even have become worse. While attackers quickly find ways to exploit known vulnerabilities, businesses have actually become slower at patching, according to data from vulnerability management firm Qualys. Earlier this year, the company released data on the vulnerability half-life -- the time it takes to fix a flaw on half the instances of an application -- for its customers. In 2009, companies took an average of 30 days to fix a vulnerability on half its population of computers; in 2012, that period had lengthened to 35 days.
Take Java, for example. Vulnerabilities in the software are essentially the uranium of information technology, with a half life so long that Qualys has not been able to measure it.
"Where we see still problems is the real third-party software, such as Java and Flash and PDF," says Wolfgang Kandek, chief technology officer for Qualys. "For Java, I cannot even plot it; there is no discernible movement at all."
That's not true for all applications, however. Both Internet Explorer and Microsoft Office have improved their half-life to about 15 days, says Kandek.
[There is a whole rag-tag class of systems--many of them extremely critical--that frequently run unpatched and ridden with vulnerabilities. See 5 Systems You're Forgetting To Patch.]
To fix patching problems, companies need to know what vulnerabilities are out there, which applications they have, and an ability to create or retrieve the patches. Most companies cannot do all -- in some cases, any -- of these, making a patch management service a good option.
Services that provide custom patches can slow down the patch cycle, but -- in the end -- pay off, because building a patch internally can be expensive.
"The cost of creating a patch quickly is on me as a single customer -- it ends up being too much of a financial burden," says IBM's Merril. "Buying a service from a company that can spread it across the space is important."
Another bonus of a good patch management service is better quality patches. Many companies quickly deploy fixes created by Microsoft, because the company has spent so much time testing their patches. Other patches, however, can cause more problems than they solve, and companies tend to test such updates more extensively. Half of companies surveyed by business technology provider GFI have had to roll back at least one patch every year.
With testing, however, patches have become more reliable, says Cristian Florian, product manager for GFI.
"We have noticed that the testing of patches had improved," Florian says. "Still, we recommend to our customers that they stage a patch, first testing it on not-so-critical systems."
In addition to creating patches, companies need the ability to take stock of the software on their systems to be aware of all the vulnerabilities present, says software security firm Secunia.
"Instead of focusing on the applications that have the highest marketshare, if they focus on the vulnerabilities and patching the applications with the most critical vulnerabilities they can remediate much more risk," says Morten Stengaard, director of product management at Secunia.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.