The Problem with Patching

BrandPostBy Jeff Miller
Apr 27, 2022
Cyberattacks Patch Management Software

Software vulnerabilities are like an open door for hackers to exploit.

Patching isn’t just an IT operations problem; it’s also a security problem. Highly organized cybercriminals are constantly searching for vulnerabilities in the software and systems on which organizations depend.

For example, zero-day vulnerabilities and software supply-chain attacks were the cause of 21% of security incidents among enterprises last year, according to the Foundry 2021 Security Priorities Study.

Significantly, only 10% of organizations addressed all open vulnerabilities within one year of discovery, according to a study conducted by Tenable

Also, a Ponemon study found that:

  • 53% of organizations suffered a data breach within the last 24 months
  • 42% of those suffering a breach said the cause was a vulnerability for which there was a patch that had not been applied

It may seem incomprehensible that organizations would leave serious security vulnerabilities unfixed for a year or more. It’s like leaving your back door wide open in a high-crime neighborhood when you’ve got a secure deadbolt on it. Why doesn’t IT just patch its stuff?

The answer is that patching is far from a simple task in modern IT environments, which are sprawling, complex, and constantly changing. A significant challenge is volume: In 2021, there were more than 20,000 reported vulnerabilities, a 10% increase over 2020. Even if only one-tenth of these vulnerabilities apply to your organization, that’s more than five patches to download, test and deploy every single day of the year.

Another problem is the use of ineffective prioritization and management schemes. Not all vulnerabilities are created equal — some could be catastrophic if exploited, while others may only pose a relatively small risk. However, few organizations have an accurate, efficient means to identify which patches need to be implemented first. As a result, dangerous exploits can go unpatched for a long time.

It’s also not as straightforward as simply deploying the patch that a vendor issues. Enterprise IT infrastructures are complicated and highly interdependent. Patches can break systems, so prior to deploying one, it has to be thoroughly tested to make sure that it doesn’t cause any problems — which again, takes time.

And then there’s the disconnect between security and IT ops teams, which have separate responsibilities and often don’t communicate effectively … if at all.

The key to overcoming the patching problem is to automate as much of the process as possible. The advantages include greater accuracy — because automation avoids introducing human error — and greater speed because the task completes faster. For example, an endpoint management platform can be integrated with a vulnerability scanning solution such as Tenable or Qualys to not only identify vulnerabilities, but also identify the best patch to address them and provide automated remediation by creating a fix.

As a result, IT operations can analyze the status of configurations, vulnerabilities, and inventories across the entire enterprise and then enforce policies automatically in near real time. Ultimately it cuts the time to resolution for any given vulnerability from hours or days to mere minutes.

And in today’s dangerous threat landscape, that’s an enormous advantage in the battle against cyberattacks.

Dramatically compress the time to identify and remediate vulnerabilities. Learn more by visiting HCL BigFix.