Does Your IT Staff Suffer from Patch Fatigue? And What You Can Do About It
Posted on December 8th, 2020 by Middleton, WI
As the number of vulnerabilities found in software hits an all-time high and COVID-19 related cybercrime focused on using these exploits reach an all time high, security teams are struggling with keeping on top of the patching process – i.e., updating software to apply the latest security fixes.
In fact, last 2019 (before COVID), a whopping 16,500 vulnerabilities were reported in everything from Microsoft Office to operating systems to obscure, vertical-specific productivity suites. It’s no wonder that 80 percent of applications deployed inside enterprises have at least one unpatched vulnerability lingering on, according to .
An Epidemic Security Risk
With the overwhelming volume, patching on an ongoing basis is a lot to take on for already overtaxed IT staffs, and the resulting “patch fatigue” is an epidemic phenomenon that can have a real impact companies’ security profiles.
Unpatched software is a growing problem for companies, considering that cybercriminals are quick to hop on known vulnerabilities. Once a software bug is disclosed (usually revealed in the course of rolling out software updates containing a patch), it’s only a matter of time before cybercriminals weaponize it, developing working exploits that they can use to compromise networks, steal data, execute remote malware and code, and generally wreak havoc.
For instance, not too long ago, bad actors exploited a critical vulnerability in Cisco WebEx browser extensions that could allow unauthenticated remote code-execution (RCE) on targeted machines. The attacks started mere days after Cisco disclosed the bug and issued a patch.
Making matters worse is the growing lag between exploits appearing and companies getting around to deploying a patch – a period that can be weeks or months. According to Sometimes companies never get around to patching at all; there are still exploits circulating for vulnerabilities that are several years old for the simple reason that they still work.
Consider the case of the highly dangerous, “wormable” vulnerability known as BlueKeep. Microsoft patched the bug on May 14, 2019, and by May 22, 2019, a proof-of-concept (PoC) exploit of the flaw showed up online. As of July 2019, the number of systems that remained exposed and unpatched to BlueKeep was close to 800,000, according to an analysis.
This situation is not simply a case of companies ignoring risks, of course; there are many reasons patching is left undone, such as:
Lack of security resources in IT departments
Inability to afford to take mission-critical systems offline long enough to update the software
Inability to reboot legacy devices without information loss
No time to spin up a parallel system, if needed, to patch the primary system
Negative Side Effects
Patch management creates a slew of challenges for IT staffs:
Incomplete Inventories. Identifying everything that needs to be patched can be overwhelming. The larger a company’s universe of devices is, the harder it is to know what has been patched and what still needs to be addressed.
Tracking Third-party Code. Keeping an accurate inventory is exacerbated when you consider that IT also has to take into account third-party code underlying the software – keeping track of which bugs in code repositories and open-source projects (Apache Struts, Microsoft .NET core and Java development kits, for instance) are present in one’s software footprint can be complex at best.
Recently, for instance, VLC developer VideoLAN alerted customers of a “high-risk” bug tied to a third-party component called MKV demuxer. The bug could be used in an attack to gain control of the victim’s PC.
Generic Scoring Systems. One way that IT departments try to overcome patch fatigue is by turning to the Common Vulnerability Scoring System (CVSS), which is an industry standard for assessing the severity of security vulnerabilities. Relying on CVSS scores can help staff prioritize which patches to apply first. However, the impact of a patch does depend on a company’s specific configuration and architecture, which can be complicated to assess; thus, IT departments are faced with a vetting process that can delay patch application. The CVSS score assigned to a vulnerability, put simply, reflects severity, not real-world risk.
Conflicting Schedules. Most IT teams also try to implement a cyclical approach to patch management; vendors like Oracle, Adobe and Microsoft issue monthly updates (Patch Tuesday, in Microsoft’s case), so aligning internal processes with these can be planned ahead of time. However, this remains resource intensive.
The Antidote: Patch Management as a Service
Fortunately, one way to stay on top of patch management is to automate. Policy-driven automation allows you to streamline the fundamentals of endpoint hardening, automatically securing your devices without hands-on maintenance.
While it’s possible to do this in-house, companies can save valuable administrative costs and labor overhead by turning to a trusted partner.
High Wire Networks, for example, helps address the patching nightmare via the Overwatch Managed Security Platform-as-a-Service. Our patch service includes:
Automated scripts and worklets for installing application and OS updates for Windows, macos, Linux and more than 100 user and server applications.
Consideration of individual policies
24/7 management and monitoring
Our cross-platform solution patches any Windows, macOS or Linux endpoint—whether they’re on-premises or in the cloud. And, to help IT staff keep tabs on the state of the company’s patching, all OS, application and third-party patch management and security configurations are available from a single, cloud-native console. In one GUI-based dashboard, you can see which endpoints are:
missing critical patches
out of compliance
In the case of mission-critical infrastructure that can’t easily be taken offline, automating the majority of the patching process allows IT staff or focus their manual efforts on these difficult cases.
Bottom line, a fully patched infrastructure is a core, fundamental pillar of maintaining strong corporate security. Patch management is difficult – and “patch fatigue” is real. Take your company off cybercriminals’ list of “low-hanging fruit” by turning to an automated service that can close down the bugs and free up your precious security resources.