Rough patch, or how to shut the window of (unpatched) opportunity

Simply throwing more staff at the patching problem won’t cut it, a study suggests.

Simply throwing more staff at the patching problem won’t cut it, a study suggests.

To paraphrase English novelist Jane Austen, it is a fact universally acknowledged that organizations must act with alacrity when it comes to applying software patches to their systems. A number of recent notorious incidents – think the WannaCryptor malware outbreak or the breach at Equifax last year – have exposed the perils of a failure to implement fixes for software vulnerabilities in a timely manner.

A recent study by the Ponemon Institute and enterprise IT cloud services company ServiceNow sheds some light on the magnitude of the patching problem. Underpinned by interviews with 3,000 cybersecurity professionals worldwide, the report – called Today’s State of Vulnerability Response: Patch Work Demands Attention – found that one in every two (48%) organizations suffered at least one data breach in the last two years. Most (57%) of the breached firms attributed the incident to a vulnerability for which a patch was available at the time, but not applied. What is more, one in three of those breached actually knew they were vulnerable. Indeed, consistently plugging holes in software could have stopped many attacks dead in their tracks.

Seen from another perspective, headline-grabbing data breaches “are only the tip of the iceberg” – as the report itself notes, after all. It is little wonder, then, that firms need a more effective vulnerability response in order to close the gaps before attackers exploit them. Compounding things further is another finding in the study – both the volume of attacks and their severity are trending upwards, by 15% and 23%, respectively.


Patching is crucial

So how can businesses keep up with patching in the increasingly complex business and IT environments? To be sure, there are no simple answers to a question involving such complex tasks fraught with many potential pitfalls. Drawing on input from, and characteristics of, organizations that have avoided breaches, the report does, however, offer several insights and suggests a best-practices approach.

Let’s get a bit more statistical for a moment:

  • Organizations spend an average of 321 hours per week, or roughly eight full-time employees, to manage the vulnerability response process
  • Nearly two-thirds (64%) of the respondents said that they plan to hire more staff people dedicated to vulnerability response over the next year – on average, this equated to four extra employees, i.e. an increase of 50% over the existing staffing levels

Now, hiring more people may actually be easier said than done, given the well-known dearth of cybersecurity talent. Regardless, the study arrives at one of its key takeaways, which it calls “security’s patching paradox”: more employees alone does not translate into improved security.

The crux of the patching problem lies elsewhere, according to the report. A few more stats may help drive the message home:

  • Most respondents (55%) said that they spend more time navigating manual processes than actually responding to vulnerabilities
  • Most (61%) feel disadvantaged due to the reliance on manual processes when patching vulnerabilities
  • An average of 12 days was lost manually coordinating across teams for every vulnerability that they patched
  • Two-thirds (65%) said they find it difficult to triage which hole needs to be plugged first and what can wait its turn

The rub

In a nutshell, then, organizations are being held back by inefficient manual processes and find it difficult to prioritize effectively what requires to be patched as a matter of urgency. Adding to their woes is another finding gleaned from the survey: every second respondent (53%) said that the time window for patching – the time between the release of a patch and an attack – has dropped by an average of 29% over the last two years.

In patching, speed can be of the essence. Organizations that have avoided breaches in the past two years stand out in two key respects: the ability to detect vulnerabilities quickly and, even more importantly, the ability to patch vulnerabilities in a timely manner, reads the report.

Given the skills gap, firms need to automate routine vulnerability response processes and remove internal process and data barriers in order to streamline and speed up the patching process significantly. They need to scan their systems and networks for vulnerabilities to see where a hole needs to be plugged: 37% of breach victims said that they don’t even carry out such scans. Prioritization of vulnerabilities is also essential, and it should consider the severity of the flaws based on scanner or CVVS scores and on understanding the importance of the affected systems.

All told, instead of seeking scarce talent, organizations would be better advised to make their internal processes more efficient and reduce the burden on staff by increasing reliance on automation, according to the study.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center