How organizations can better manage and prioritize security patches

Discovering how not to treat all vulnerabilities as equal is a key strategy in patch management, says risk-based vulnerability firm Kenna Security.

How to protect your Windows 7 computers and data after Microsoft cuts off support

Patch management can be a challenging task for any organization. With the sheer volume of hardware and software vulnerabilities regularly discovered, patching all the products used at your company can easily tax any IT or security staff. Mitigating that challenge is a matter of prioritizing the actual risks based on the products you use in your environment. Released Tuesday by Kenna Security, the report Prioritization to Prediction - Volume 5: In Search of Assets at Risk, offers some insight and advice on how to better manage security vulnerabilities and their patches.

SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic) 

For this research, Kenna Security collected the data on security vulnerabilities and patches and sent it to the Cyentia Institute for independent analysis. The report found that the typical organization manages vulnerabilities across around 800 active products or assets, but 10% of them manage more than 35,000 such assets. The full range of assets per organization ranges from less than 10 to over 1 million. That sounds like an insurmountable number to handle. But let's break down that workload by both product and patch.

Windows computers are the most common asset as around half of firms analyzed for the report have an asset mix of at least 85% Windows-based systems. Some 70% of Windows systems had at least one open vulnerability with known exploits during the period of analysis. A Windows-based asset had an average of 119 vulnerabilities per month.

However, Microsoft tends to patch its products faster than do other vendors because of the steady stream of automated patches. As such, these vulnerabilities are patched by the company within 36 days, on average.

Linux systems are the next most common asset, followed by Cisco appliances in third place. Some 40% of Linux/Unix systems and 30% of network appliances have at least one open vulnerability with known exploits.

Organizations tend to fix most of the security issues affecting their assets but they do so most quickly for Windows and Mac OS X. The half-life of vulnerabilities in a Windows system is 36 days.

But, the story is quite different for network devices such as routers, printers, and Internet of Things appliances. These devices have an average of only 3.6 vulnerabilities per month, but it can take as long as a year to fix them.

Looking at patch rates, the large number of Microsoft machines across organizations leads to higher numbers of unpatched vulnerabilities. Over the research period, a combined 215 million vulnerabilities were discovered on Microsoft machines. Though 179 million of them were patched, the remaining 36 million unpatched flaws on Microsoft machines exceeded the total number of patched and unpatched vulnerabilities found on Mac, Linux, Unix, and network devices combined. Yet, Microsoft assets were patched at a higher rate than all other asset classes.

Apple computers with OS X had the second-highest critical patch rate of all asset classes at 79%. Next, less than 66% of the high-risk vulnerabilities found on Linux and Unix systems and network devices were patched.

"With automated patching and 'Patch Tuesdays,' the speed at which Microsoft is able to fix critical vulnerabilities on their systems is remarkable, but there still tend to be a lot of them," Wade Baker, partner and founder at Cyentia Institute, said in a press release. "On the other hand, we see lots of assets, like routers and printers, where high-risk vulnerabilities have a longer shelf life. Companies need to align their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs."

To get a better handle on patch management, organizations should keep in mind the following findings from the report:

  1. There are A LOT of published vulnerabilities. A ton of vulnerabilities exist that potentially represent risk to organizations and consumers. More than 130,000 have been published in the National Vulnerability Database (NVD), and many more exist that haven't been officially recognized. Based on sheer volume alone, it's clear why so many vulnerability management programs drown under the deluge. With the expansion of the CNA process in 2017, the rate of new CVE entries tripled. But while that increase may seem scary, this is more a measurement of the CVE process and less about the inherent security of software and hardware over time.
  2. Remediating vulnerabilities can take A LOT of time. As if dealing with 130,000 vulnerabilities wasn't enough, it gets worse when remediating them in a live environment. It's not simply a matter of squashing a bug and you're done; it's a process of finding and fixing every asset affected by each vulnerability. Because so many systems are affected, remediating security exposures can be a complex, lengthy process. Some 45% of vulnerabilities are patched in the first month and 66% within three months, but a bit under 20% hang around longer than a year.
  3. Organizations cannot fix ALL vulnerabilities. Given the volume of vulnerabilities affecting infrastructure and the time it takes to fix them, it's not surprising that firms can't consistently remediate them all.
  4. Not ALL vulnerabilities need to be fixed right now. It may seem like vulnerability management is a hopeless venture, but there were some genuine signs of hope in the data. Firms can't fix everything, but the reality is that they don't need to. Many vulnerabilities affect technologies not currently used in most enterprise networks. While it's certainly true that new exploits emerge regularly, it's also true that most firms can safely deprioritize vulnerabilities without known exploits. When you can't fix everything, fixing what matters most is critical.
  5. Firms can fix all HIGH-RISK vulnerabilities. Here are two key facts: 1) Firms can't fix all their vulnerabilities, and 2) only a small proportion of vulnerabilities have known exploits. Thus, it's theoretically possible that organizations might be able to remediate all high-risk vulnerabilities across their environment, assuming laser focus. They might even have room to fix vulnerabilities that aren't yet exploited but probably will be in the future. Among the hundreds of firms examined in the research, just over half of them reduced the number of high-risk vulnerabilities in their environment, while 16% held their ground. That means two-thirds of organizations are successfully managing vulnerability risk in the real world.
  6. Try Kenna's Exploit Prediction Scoring System. To better assess the likelihood of specific vulnerability threats, check out Kenna's Exploit Prediction Scoring System Calculator.

Also see