It turns out that patch management may very well be at the root of all cybersecurity evil. A new survey of 3,000 cybersecurity professionals working at organizations with over 1,000 employees conducted by The Ponemon Institute on behalf of ServiceNow, a provider of IT management applications delivered via the cloud, finds well over half (57%) of respondents who reported a breach attributed it to a vulnerability for which a patch was already available but not applied. Over third (34%) admitted they knew they were vulnerable before the breach occurred.
All told, almost half (48%) their organization reported a data breach in the last two years.
Unfortunately, patch management challenges may only worsen before they may eventually get better. Over half of respondents (53%) said that the time between a patch is released and hackers attack has decreased an average of 29 percent over the last two years. Hacker attack volumes along with the severity of those attacks is also on the rise. Survey respondents reported an average 15 percent increase in cyberattack volumes in the last 12 months and said the severity of those attacks has increased by 23 percent.
Many cybersecurity professionals appear convinced that increase could not be occurring unless cybercriminals were not taking advantage of advanced technologies to discover vulnerabilities faster. Over half the respondents (54%) agreed that attackers are outpacing enterprises with technology such as machine learning and artificial intelligence (AI).
That’s cause for concern because 61 percent say reliance on manual patch management processes is putting them at distinct disadvantage. Over half (55%) say that they spend more time navigating manual processes than responding to the actual vulnerability.
Manual processes are necessary because Only 16 percent of respondents say their team is solely responsible for patching. Other challenges include having no common view of assets and applications across security and IT (73%), reliance on emails and spreadsheets to manage the patching process (57%), and the simple fact there is no easy way to track whether vulnerabilities of being patched in a timely manner (62%).
Not surprisingly, almost two-thirds (65%) of respondents say they find it difficult to prioritize what needs to be patched first. On average, the survey finds it takes 12.1 days to coordinated across teams to remediate a vulnerability. Respondents say that their companies spend 321 hours a week on average managing the vulnerability response process.
Companies that avoided breaches rated their ability to patch vulnerabilities in a timely manner 41% higher than those that had been breached. They rated their ability to detect vulnerabilities 19% higher. The survey concludes patch management process are the most significant characteristic of companies that were not breached in the last two years.
Because they are struggling with manual processes, 64% of respondents say that they plan to hire additional dedicated resources for vulnerability response over the next 12 months. The planned headcount increase is 3.97 people. This represents 50% growth over today’s staffing levels. Given the general shortage of cybersecurity professionals, it’s a bit of a mystery where all the additional headcount will be found. The report also notes that throwing additional headcount at flawed patch management processes is not likely to generate the desired result.
The good news is advances in DevSecOps should help address patch management issues. In addition, applications built using containers such as Docker eliminate the need to patch applications altogether. New functionality is added by simply replacing one set of containers for another. But legacy applications that rely on patches to be updated will be with us for at least another decade or more.
In the meantime, it’s obvious that patch management processes need to become more automated. Cybersecurity professionals and their developer allies can’t keep pace. Not patching applications in a timely manner now borders on the reckless. The sad truth is that overreliance on manual patch management processes makes it too easy for cybercriminals. That may not necessarily rise to the standard of aiding and abetting the enemy. But reliance on manual patch management processes is definitely a lot closer to meeting that definition than any organization should ever allow.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.