Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/22/2016
12:00 PM
Ashley Leonard
Ashley Leonard
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Problem With Patching: 7 Top Complaints

Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment.

A term that’s cropped up recently among IT managers is “patching fatigue,” referring to the overwhelming number of patches organizations need to keep their IT environment up-to-date and secure. 

According to the 2016 IBM Security Report, which covers 18 years of patches, there are over 100,000 known vulnerabilities, which works out to around 5,000 a year per device. Only a few hundred would affect each device in a network at any time, but these security risks pile up quickly. Even with a small environment, that’s a monumental task. It’s no wonder “patch fatigue” has caught the attention of many IT departments.

Tripwire recently conducted a survey of nearly 500 US-based IT professionals about their struggles to keep up with patching. Based on the Tripwire data, here are the seven top complaints about patching – and suggestions for streamlining the process. 

Complaint: Patch Management Is Too Time Consuming.  No matter the size of the organization, whether it’s a few hundred or over a 1,000 endpoints, patching can take hundreds of hours every month. There’s also added concern if a patch requires a system restart, more so for servers, as significant downtime and lost business is a likely result.

What To Do About It:  Deploy a patch management tool that automates the patching process during maintenance windows where the business is least affected, usually during weekends or after hours. It also helps to focus first on mission critical patches and identify areas that are most vulnerable.

Complaint: It’s More Than Microsoft And Operating Systems. The patching process isn’t limited to Windows or other operating systems. Third-party applications also have patches and not all the patches are created equal. Vendors like WordPress are relatively simple to update, but Java and Flash are often major pain points.

What To Do About It: Ideally, the patch management tool also operates with major third-party vendors. It’s imperative to identify what software is on which devices. If a department or collection of devices share similar software, then grouping the patches together will save time and resources.

Complaint: Java And Flash, The Problem Children. Two of the largest contributors to patch fatigue are Java and Flash because they are typically bundled with other products. Bundling creates version control issues as it’s difficult to know which patches for Java and Flash were deployed to which devices.

What To Do About It: Having an inventory tool is the best way to manage this issue. Properly scanning each device for the software and software version will enable proper patch deployment and remove guesswork.

Complaint: Structured Scheduling And Critical Fixes. Patch Tuesday is Microsoft’s monthly release cycle – always the second Tuesday of the month – providing updates for its catalogue of products. While many IT managers would rather have critical fixes released on an as-created basis, the schedule has eased the burden for many IT managers. Companies like Apple, however, release on an intermittent basis, so if the environment has various operating systems, there’s a greater challenge.

What To Do About It: Get on a schedule. The schedule doesn’t have to match Microsoft’s, though many IT departments implement a Patch Saturday. It’s recommended to take one period during the month to patch devices. Rotating through groups of devices for less-critical patches helps spread the workload. Patching needs to take place quarterly at a minimum, otherwise it’s too dangerous for network security.

Complaint: What Version Is This? Windows 10 Branching. Microsoft’s new strategy for Windows 10 involves updating the OS in two different fashions. Long-term servicing branch (LTSB) is the familiar Windows update with security updates and bug fixes, but alternatively customers can use the current branch (CB), which includes new features. New features help end-users, but testing and possible system downtimes are the most immediate drawbacks.

What To Do About It: Test before updating to the CB. If the business has legacy applications tied to older OS versions, then updating to the current branch is probably unadvisable. Staying up to date is important, but not at the cost of doing business.

Complaint: Don’t Deploy Every Patch.  The Common Vulnerability Scoring System (CVSS) is an industry standard methodology to classify how critical a patch is to a device. But what matters most is how critical a patch is to a device in the business network. Many patches can be ignored due to vendor-issued severity, and conversely, patches not rated highly among most devices could be critical to the environment.

What To Do About It: Controlling the selection of missing updates, especially those with serious consequences if not deployed, lessens the potential impact. A patch management tool that also identifies patches and gives greater clarity limits the strain.

Complaint: Patching And Vulnerability Management. Patching and vulnerabilities are frequently intermingled terms, but they are not interchangeable. Even after patching, there are still vulnerabilities that may exist in the network and it’s important to identify where these potential pitfalls exist, typically in legacy applications and older OS versions.

What To Do About It: Patching is the first step for securing an IT network, but the job hardly stops there. Gaining a thorough understanding of the IT network through accurate reporting will identify areas of concern. It’s also important to remove discontinued products; this alone mitigates many problems. But until devices begin self-upgrading or self-patching, it will continue to fall to the IT manager to discover the best way to manage each challenge and relieve the many headaches associated with patching fatigue. 

Related Content:

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Ashley Leonard is the president and CEO of Verismic Software, a global industry leader providing cloud-based IT management technology and green solutions. He is a technology entrepreneur with 25 years of experience in enterprise software, sales, and operational leadership. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/6/2016 | 2:41:14 PM
Re: Suggested errata/addendums
Some major websites/companies (most notably, perhaps, Google) have hopped on board with HTML5 alternatives, but yep, Flash is still out there, around, proliferating in the sunlight waiting to drag us into the shadows.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/4/2016 | 6:33:16 AM
Re: Suggested errata/addendums
@RyanSepe: Excellent point, which I didn't even think of!  Who installs Flash on their *servers*?  :/
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:14:55 PM
Re: OS Vs. Apps
I agree with you, that's why app security is pivotal. Ingrain security at the development level and you will cut out a lot of future security headaches.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:13:47 PM
Re: patching - the never ending story ...
It's necessary. In security there will never be a silver bullet and its difficult to think of a world where patching doesn't exist. Build a steel vault and someone invents a contraption to melt steel. It will always be ongoing. Its those who get fed up with the process and let it go for long periods of time that are losing the fight.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/26/2016 | 3:11:34 PM
Re: Suggested errata/addendums
Thats exactly the problem, legacy applications. I was going to comment to that on your previous post. As you said, maybe not an issue for the personal user but from an enterprise perspective its a huge issue.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:33:53 PM
Re: patching - the never ending story ...
"... then you need another patch to fix it ..."

Exactly. Never ending loop, patching the patch. That is what our experience is with Microsoft. Constant release to close a loop holes are actually waste of effort, time and money.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:31:19 PM
OS Vs. Apps
 

Today, there is more problem with the apps than the OSes. Certain apps are vulnerable and they are used to exploit vulnerabilities in the OSes. Apple might have gotten this right from the beginning, maybe both Apps and OSes should be part of a closed system to avoid attacks with a least effort. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:30:51 PM
Re: Suggested errata/addendums
"Flash is definitely a pain point ..."

Easy to remove but main questions for many companies are around their legacy applications. Most likely some of those critical apps would not be functional without it.  I know some of the companies are still suck with IE6.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:28:01 PM
Re: Suggested errata/addendums
"... The real solution for Flash is to JUST GET RID OF IT. ..."

Are we still using it? I thought we already dropped flash and java ; I do not have in my laptop and I do not miss it. Moderns apps are not using it so, we will not need them soon. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/26/2016 | 2:25:44 PM
Better platforms
 

We may need better platforms to avoid this much patching in our data centers. Good old mainframe days you were lucky if you could get patch every two years. :--))
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.