8 Trends in Vulnerability and Patch Management
Unpatched flaws continue to be a major security issue for many organizations.
October 30, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt58fc70d185576e3e/64f0d4e2b532f60f09d1f28f/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Organizations are under growing pressure to implement effective vulnerability and patch management practices: In numerous recent data breaches, attackers have shown a tendency to exploit unpatched software flaws to gain access to critical enterprise applications and systems. Even relatively old and long-ago patched vulnerabilities continue to be exploited.
One example is EternalBlue, a leaked NSA exploit targeting a flaw in Microsoft's SMB protocol. Though Microsoft patched the remote code execution vulnerability in early 2017, nearly 1 million systems — over 400,000 of them in the US alone — remained unpatched as recently as June. Attackers are actively exploiting the flaw to deliver banking Trojans and other malware.
Digital transformation initiatives and trends such as cloud migration and enterprise mobility have also significantly expanded the attack surface at many organizations, underscoring the need for better vulnerability prevention, detection, and mitigation strategies. The adoption of DevOps, continuous integration and delivery (CI/CD), and other application development and delivery models in recent years has similarly focused attention on integrating vulnerability scanning and remediation much earlier in the software development life cycle.
For organizations seeking to implement formal vulnerability and patch management programs, here are eight key trends to keep an eye on.
Six in 10 data breaches that organizations have experienced this year involved security vulnerabilities that had not been patched. A recent survey of nearly 3,000 organizations conducted by Ponemon Institute on behalf of ServiceNow showed that delays in patching vulnerabilities cost organizations 30% more in downtime this year compared with 2018.
Organizations don't address vulnerabilities more quickly for multiple reasons. They include a lack of awareness of potential breach-causing vulnerabilities, organizational silos and turf wars, a lack of resources, and no common view of applications and assets. Respondents also said "attackers are outpacing their organizations with such technologies as machine learning/artificial intelligence," the report noted.
Nearly seven in 10 organizations said they plan to hire at least five staff members over the next year to handle vulnerability management, according to the ServiceNow/Ponemon survey. The expected average annual costs to organizations for these hires: $650,000.
In addition to staffing increases, many organizations are turning to automation as a way to address patching challenges. Forty-five percent of the survey respondents said they could improve patching time by automating the patch management process. Seventy percent said they would implement better patch management processes if they were forced to by laws holding companies accountable for data breaches.
Most data security regulations, such as PCI DSS and HIPAA, require covered entities to have vulnerability management programs. Not surprisingly, 84% of organizations reported having one in place, according to a survey for Bromium by the SANS Institute. About 55% of them said they have a formal vulnerability management program in place, while the remainder described their programs as informal. Another 15% said they planned to implement a vulnerability management program in the next 12 months.
The survey also found that a majority of organizations with a vulnerability management program in place used a risk-rating process for determining the criticality of a security flaw. One-third said they had a formal risk-rating process, and almost 19% had an informal process in place for assessing risk. Some of the most common factors used for risk rating, according to the survey, include CVSS severity, criticality of business asset, scoring from threat intelligence feeds, and vendor severity ratings
Businesses and other organizations this year spent an average of 139 hours per week monitoring systems for vulnerabilities and threats, and 206 hours per week patching applications and systems, compared with 127 hours and 153 hours, respectively, in 2018. Based on per-week numbers, organizations will spend more than 23,000 hours on vulnerability- and patching-related tasks this year, according to the ServiceNow/Ponemon survey.
The average per-week costs to enterprise organizations for preventing, detecting, patching, documenting, and reporting on the patch management process, and also the downtime associated with patching, was $27,688, or some $1.44 million per year, the survey found. That's about 24.4% higher than the $1.16 million organizations spent in 2018.
Organizations that scan applications more frequently tend to be substantially faster at remediating vulnerabilities than organizations that scan less frequently, according to research by Veracode. The security vendor found software development organizations that scan their code daily require a median time of just 19 days to remediate vulnerabilities compared with 68 days for those that scan one time or less per month.
According to Veracode, about half of all applications are accruing aging and unaddressed vulnerabilities - or security debt - in their software because development teams tend to focus on newer ones first. The trend is increasing data breach risks for organizations. "The top 1% of applications with the highest scan frequency carry about five times less security debt than the bottom third," Veracode stated.
The data suggests that frequent scanning not only helps companies find flaws, it also help them significantly reduce cyber-risk. "Organizations must address the new security findings while chipping away at the old," Veracode said.
A Tripwire-sponsored survey of 340 infosecurity professionals found 9% of organizations deploy a security patch immediately when they get it, while 49% install it within seven days. The remaining organizations take anywhere from around two weeks to over one year. Sixteen percent, for instance, said they deployed patches in less than two weeks, another 19% said it took them up to one month, and 6% said they installed patches within three months.
A majority of organizations in the Tripwire survey - 40% - patch less than 10 vulnerabilities per month, and 29% deploy between 10 and 50 in the same period. However, a relatively small proportion of organizations appear to be patching substantially more vulnerabilities in a 30-day period. Nine percent, for instance, said they patch anywhere from 50 to 100 vulnerabilities per month, while for 6% the number exceeds 100. A somewhat surprising 15% said they did not know how many security vulnerabilities, on average, their organizations patched each month.
While most security organizations understand the importance of timely patching, the process can get delayed for a variety of reasons. Seventy-six percent of those responding to the ServiceNow/Ponemon said one reason was the lack of a common view of applications and assets across the IT and security teams. An almost identical proportion (74%) said their patching processes often got delayed because of concerns over taking critical applications and systems offline. For 72%, patch prioritization was the main issue. Staffing was yet another reason, with only 64% of respondents who said they had enough people on hand to deploy patches in a timely manner.
The survey showed that the IT operations team is responsible for patching at a majority (31%) of organizations. The security operations team is in charge of the mission at 26% of organizations, and the CISO team at 17%. The computer security incident response team (CSIRT) owns responsibility for patching at 12% of enterprise organizations.
When a security flaw is discovered in software, most organizations expect the developer to act quickly to resolve the issue. When respondents to the Tripwire survey were asked what they considered to be an acceptable time frame between vulnerability discovery and the release of a patch, 18% said no wait is acceptable. About half - 48% - said they are willing to give the developer seven days to issue a patch, and 16% are OK with a two-week time frame. A surprising 17% said they are prepared to wait up to six months, if needed, for a patch.
Tripwire's survey showed that a high percentage of organizations expect software developers to continue releasing patches for products even after the products have reached their end of life. Thirty-six percent said they expect developers to release patches for between one and two years after end of life, while 15% want the product to be supported for between three and five years. Interestingly, 11% said they are OK with the vendor ceasing all patch support immediately when a product hits its end of life.
When a security flaw is discovered in software, most organizations expect the developer to act quickly to resolve the issue. When respondents to the Tripwire survey were asked what they considered to be an acceptable time frame between vulnerability discovery and the release of a patch, 18% said no wait is acceptable. About half - 48% - said they are willing to give the developer seven days to issue a patch, and 16% are OK with a two-week time frame. A surprising 17% said they are prepared to wait up to six months, if needed, for a patch.
Tripwire's survey showed that a high percentage of organizations expect software developers to continue releasing patches for products even after the products have reached their end of life. Thirty-six percent said they expect developers to release patches for between one and two years after end of life, while 15% want the product to be supported for between three and five years. Interestingly, 11% said they are OK with the vendor ceasing all patch support immediately when a product hits its end of life.
Organizations are under growing pressure to implement effective vulnerability and patch management practices: In numerous recent data breaches, attackers have shown a tendency to exploit unpatched software flaws to gain access to critical enterprise applications and systems. Even relatively old and long-ago patched vulnerabilities continue to be exploited.
One example is EternalBlue, a leaked NSA exploit targeting a flaw in Microsoft's SMB protocol. Though Microsoft patched the remote code execution vulnerability in early 2017, nearly 1 million systems — over 400,000 of them in the US alone — remained unpatched as recently as June. Attackers are actively exploiting the flaw to deliver banking Trojans and other malware.
Digital transformation initiatives and trends such as cloud migration and enterprise mobility have also significantly expanded the attack surface at many organizations, underscoring the need for better vulnerability prevention, detection, and mitigation strategies. The adoption of DevOps, continuous integration and delivery (CI/CD), and other application development and delivery models in recent years has similarly focused attention on integrating vulnerability scanning and remediation much earlier in the software development life cycle.
For organizations seeking to implement formal vulnerability and patch management programs, here are eight key trends to keep an eye on.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024