Security Patches: Move Faster to Keep Up With the Bad Guys

You’re tired of hearing it. Most security pundits are tired of saying it. Applying and testing security patches with alacrity is one of the keys to avoiding data breaches. And it looks like that could become even more imperative.

A new Ponemon Institute study, commissioned by ServiceNow, concludes that cybercriminals and hackers have responded more quickly, more frequently and with increased severity in recent years. Some 53 percent of the respondents agreed that the time between patch release and hacker attack has decreased an average of 29 percent over the last two years. Cybercriminals have already shown that they are becoming more sophisticated in their use of technology. If they employ machine learning and artificial intelligence (AI), as many fear they will, expect the response time to continue to contract. Hackers are stepping it up and that means that enterprises are forced to do the same or suffer potentially all severe breaches.

Ponemon Institute surveyed nearly 3,000 cybersecurity professionals at companies with 1,000 or more employees in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom and the United States.

Increasing Pressure to Patch

Some of the key points presented by the study are that 48 percent of the respondents have experienced breaches in the last two years. Cyberattack volume increase by 15 percent over the last year, and severity of attack increased nearly 25 percent. Of the half of respondents who experienced a breach, 57 percent said they were breached because of a vulnerability for which a patch was already available.

And there it is: The key to avoiding breaches is changing the way companies think about detecting and patching vulnerabilities. It’s a race now, a real race. Can you detect and implement a patch before hackers exploit the vulnerability that you haven’t patched yet? Up until recently, this race was run by the tortoise and the turtle. But cybercriminals are taking advantage of that window of unpatched opportunity.

What’s slowing you down? Is your vulnerability detection and patch process manual? Does it require coordination across multiple departments? Is the job handled by multiple point people? Is the responsibility spread out? Do you have lots of siloed systems that need to be patched separately? Devoting new headcount to that kind of process may be wasting resources. Some 55 percent of the survey’s respondents say they spend more time navigating a manual process than responding to vulnerabilities. Another problem is prioritization: Sixty-five percent admit they have difficulty deciding what to patch first.

Of those who did not experience a breach over the past two years, one of their responses was especially significant. They rated their company’s ability to patch vulnerabilities in a timely manner 41 percent higher than those whose enterprises were breached. When reaction times matter, you need to automate the process.

Patch Well and Live

Based on the study, ServiceNow’s report offers some useful recommendations. Start by taking stock of all the systems that are at risk for vulnerability. Prioritize this list based on the nature of the data they contain and the problematic aspects they present, such as cross-departmental coordination. Focus first on the most at-risk data and the low-hanging fruit. If your company does not scan for vulnerabilities, both internally and externally, that needs to be a top priority. Almost 40 percent of the breach victims in this study admitted that they don’t scan for vulnerabilities.

Create one common view combining vulnerability and IT configuration data—ideally using a single platform. It’s important to break down the data barriers between infoSec and IT. Build your response processes and automate as much as you can. That will free up your security team to focus on the next big challenge.

Sponsored Content
Upcoming Webinar
Security at the Speed of Software Development

Security at the Speed of Software Development

There are a lot of DevSecOps offerings that are just DevOps lipstick on a traditional security-as-a-gate pig. Also, security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy an order of magnitude or ... Read More
May 8, 2018
Scot Finnie

Scot Finnie

Scot Finnie is an award-winning business and technology journalist, reviewer, columnist, editor, and manager. He was the editor-in-chief of Computerworld for 10 years. He's been a Windows and macOS operating system expert for two decades. He torture-tested laptop PCs. Was ZDNet's first editor.

scot-finnie has 10 posts and counting.See all posts by scot-finnie