20 Years Later, Is Patch Tuesday Enough?

On the second Tuesday of every month, IT and security professionals around the world prepare for the patching ritual. Microsoft's Patch Tuesday, which turned 20 years old this October, is consistently on schedule. But while its cadence has remained, much has changed about the world since.

Patch Tuesday began in 2003 with the promise of organizing the patching process, batching the never-ending deluge of patches to a finite day. The benefit: bringing structure to the mess and lowering the stress of the IT and security community. It achieves its goal of consolidating the bulk of security updates into a planned release cycle, eliminating the chaos of ad hoc patching. Practitioners around the world know to expect a patch rollout every month.

However, the aspirational goal of risk and stress reduction for IT and security teams is a mere dream. There are a lot of vulnerabilities for businesses to keep up with, and Microsoft remains one of the top producers of vulnerabilities. Since 2003, the company has disclosed and patched more than 10,900 unique flaws, according to data from CVE Details. Of these, more than 1,200 were rated Critical in severity and more than 5,300 were rated Important. More than 630 exploits exist for Critical and Important vulnerabilities across Microsoft products, per Exploit-DB.

Now what does that do to IT and security professionals' stress levels? Patching vulnerabilities is a critical part of cybersecurity, but that fact should not obscure questions about the sheer volume of patches required from a single vendor.

Given Microsoft's extensive share of the market across a range of product areas, and the number of vulnerabilities across its lineup, it represents the largest attack surface and risk multiplier for businesses of all sizes. Microsoft, despite marketing claims, is not a security company. Using checks and balances — branching outside its ecosystem — is the way to secure Microsoft products. While organizations often depend on Patch Tuesday as their primary protection against Microsoft's vulnerabilities, it’s also important for defenders to have visibility to identify and detect exploits before they learn about them after the fact on Patch Tuesday.

Here, let's take a closer look at how adversaries' evolving speed and sophistication exacerbates the potential for a breach, and why additional steps are necessary for organizations to remain secure.

Every Vulnerability Introduces Risk

Today's threat actors are growing smarter and more sophisticated. For those looking to raise their chance of a successful breach, the breadth and continued new vulnerabilities in Microsoft tools and services tips the odds in their favor. All they need is one exploit and they have the means to access any number of potential victims. It's not surprising that Microsoft has become adversaries' go-to attack surface.

Adversaries also have speed on their side. The average breakout time for today's threat actors continues to fall; now, it's down to only 79 minutes. As they ramp up their activity, organizations must keep up if they want to stop a breach.

But patching takes time. Admins must first test the patch before deploying, and with dozens of patches to apply every month, the process takes even longer — more so if a patch fails, or if there are issues during the testing and deployment process. For some businesses, there are more complications: Those with fewer staff and resources may take longer to apply patches; those with complex environments or critical systems may need to take steps to avoid downtime.

The gap between patch rollouts contributes to this delay. Patches for bugs discovered between releases aren't issued until the next monthly deployment, creating a gap during which organizations are exposed. This creates a larger window during which adversaries can find and exploit these vulnerabilities.

Staying Ahead of the Adversary

For 20 years, Microsoft has stayed on the same monthly patch release schedule. In doing so, it does bring order into the patching process that helps organizations stay on track. But the high number of vulnerabilities that Microsoft requires to be patched, and the growing global dependence on Microsoft tools and services, creates new risks that adversaries can exploit.

More secure software development can help. The complementary concepts of secure by design and secure by default, advanced by the Cybersecurity and Infrastructure Security Agency (CISA) and partner nations, are also important. This guidance refers to building cybersecurity into the design and manufacture of technology products in order to ensure end users don't ultimately bear the burden of poorly developed technologies and shoddy security practices. These practices would go a long way in eliminating the need to fix dozens of vulnerabilities each month.

To protect their existing systems, however, organizations need clearer and more comprehensive visibility into the vulnerabilities putting them at risk. Vulnerability assessment technology surfaces security flaws in context and provides the information organizations need to quickly remediate issues before they're exploited. With vulnerability visibility and patching guidance embedded in a security platform, organizations can stay a step ahead of adversaries.

More broadly, organizations must also implement strong and effective cybersecurity programs that prioritize defense-in-depth. They must confirm the basics are covered and consider an integrated mix of vendors to build a layered defense model. Leveraging data from multiple sources can make a tremendous difference in detecting and responding to potential threats — before learning about them on the second Tuesday of the following month.