In spite of years of data showing effective patch management to be some of the lowest-hanging fruit in improving IT risk management, half of enterprises today still aren't getting it right. So says a new survey out today, which queried over 480 IT professionals on their patch management practices.
“When we began this research, we expected patch fatigue to affect a small portion of the industry,” said Tyler Reguly, manager of Tripwire Vulnerability and Exposure Research Team (VERT), which conducted the survey with Dimensional Research. “Instead, we discovered that it is a broad, sweeping issue affecting a wide range of organizations.”
According to survey respondents, 50% believe that client-side patches are released at an unmanageable rate and the same percentage of IT teams don't understand the difference between applying a patch and remediating a vulnerability.
"The fact is that we, as an industry, consistently conflate vulnerabilities with patches. They are not the same thing!" says Tim Erlin, director of IT risk and security strategist for Tripwire. "The fact is, we identify known vulnerabilities with CVE IDs, and vendors release increments of code that address some of those CVE IDs. It’s not a one-to-one relationship, except when it is, and bundles are common, except from vendors who don’t roll up patches. Sometimes patches don’t fix all the vulnerabilities, and sometimes they fix multiple vulnerabilities on some platforms but not others. Sometimes a patch is an upgrade, sometimes it’s not, and sometimes you can apply an individual patch or an upgrade to fix disparate but overlapping sets of vulnerabilities."
That jumble of factors played out in the survey, which showed that at least some of the time 67% of security teams have a difficult time understanding which patch needs to be applied to which system. That's made even more complicated by embedded products such as Adobe Flash patches released with Google Chrome updates--86% of respondents said this made it more difficult to understand the impact of a patch.
"The confusion between remediating vulnerabilities and applying patches is one example of the complexity surrounding enterprise patch management," Erlin says. "We haven’t touched on the technical challenges of distribution, auditing performance, or organizational silos. When we look at the steady stream of patches that vendors push, with multiple strategies, it’s no wonder that we see gaps."
These findings are bolstered by those of another less formal survey released last week by Bromium, which asked 100 RSA Conference attendees about their security practices and attitudes. In it, 49% reported that the endpoint is the source of their greatest security risk, ahead of insider threat, network insecurity and cloud risks. The survey showed that only half of organizations are able to implement patches for zero-day vulnerabilities within a week of release.