To paraphrase English novelist Jane Austen,
it is a fact universally acknowledged that organizations must act with alacrity
when it comes to applying software patches to their systems. A number of recent
notorious incidents – think the WannaCryptor malware outbreak or the breach at Equifax last year – have exposed the perils of a failure to
implement fixes for software vulnerabilities in a timely manner.
A recent study by the Ponemon Institute and enterprise IT cloud
services company ServiceNow sheds some light on the magnitude of the patching
problem. Underpinned by interviews with 3,000 cybersecurity professionals
worldwide, the report – called Today’s State of Vulnerability Response:
Patch Work Demands Attention – found that one in every two (48%)
organizations suffered at least one data breach in the last two years. Most
(57%) of the breached firms attributed the incident to a vulnerability for
which a patch was available at the time, but not applied. What is more, one in
three of those breached actually knew they were vulnerable. Indeed,
consistently plugging holes in software could have stopped many attacks dead in
their tracks.
Seen from another perspective,
headline-grabbing data breaches “are only the tip of the iceberg” – as the
report itself notes, after all. It is little wonder, then, that firms need a
more effective vulnerability response in order to close the gaps before
attackers exploit them. Compounding things further is another finding in the
study – both the volume of attacks and their severity are trending upwards, by
15% and 23%, respectively.
Patching is crucial
So how can businesses keep up with patching
in the increasingly complex business and IT environments? To be sure, there are
no simple answers to a question involving such complex tasks fraught with many
potential pitfalls. Drawing on input from, and characteristics of,
organizations that have avoided breaches, the report does, however, offer several
insights and suggests a best-practices approach.
Let’s get a bit more statistical for a
moment:
·
Organizations
spend an average of 321 hours per week, or roughly eight full-time employees,
to manage the vulnerability response process
·
Nearly
two-thirds (64%) of the respondents said that they plan to hire more staff
people dedicated to vulnerability response over the next year – on average,
this equated to four extra employees, i.e. an increase of 50% over the existing
staffing levels
Now, hiring more people may actually be
easier said than done, given the well-known dearth of cybersecurity talent. Regardless, the study arrives at one
of its key takeaways, which it calls “security’s patching paradox”: more
employees alone does not translate into improved security.
The crux of the patching problem lies
elsewhere, according to the report. A few more stats may help drive the message
home:
·
Most
respondents (55%) said that they spend more time navigating manual processes
than actually responding to vulnerabilities
·
Most
(61%) feel disadvantaged due to the reliance on manual processes when patching
vulnerabilities
·
An average
of 12 days was lost manually coordinating across teams for every vulnerability
that they patched
·
Two-thirds
(65%) said they find it difficult to triage which hole needs to be plugged
first and what can wait its turn
The rub
In a nutshell, then, organizations are being
held back by inefficient manual processes and find it difficult to prioritize
effectively what requires to be patched as a matter of urgency. Adding to their
woes is another finding gleaned from the survey: every second respondent (53%)
said that the time window for patching – the time between the release of a
patch and an attack – has dropped by an average of 29% over the last two years.
In patching, speed can be of the essence.
Organizations that have avoided breaches in the past two years stand out in two
key respects: the ability to detect vulnerabilities quickly and, even more
importantly, the ability to patch vulnerabilities in a timely manner, reads the
report.
Given the skills gap, firms need to automate
routine vulnerability response processes and remove internal process and data
barriers in order to streamline and speed up the patching process
significantly. They need to scan their systems and networks for vulnerabilities
to see where a hole needs to be plugged: 37% of breach victims said that they
don’t even carry out such scans. Prioritization of vulnerabilities is also
essential, and it should consider the severity of the flaws based on scanner or
CVVS scores and on understanding the importance of the
affected systems.
All told, instead of seeking scarce talent,
organizations would be better advised to make their internal processes more
efficient and reduce the burden on staff by increasing reliance on automation,
according to the study.
