Shrinking Time from Vulnerability to Exploit Top Challenge to Effective Patch management

By | April 4, 2006

The closing window of time between when a vulnerability is found to when it is exploited ranks as the number one challenge to effective patch management by PatchLink’s global customer survey. PatchLink Corporation, the global leader for security patch and vulnerability management solutions, today announced these findings from a comprehensive customer survey completed by more than 300 CIOs, CSOs, IT managers and network administrators across Europe, APAC and the US.

The survey shows the majority of IT professionals (74 per cent) believe that patch cycles, such as Microsoft Patch Tuesday, have improved their overall security patch and vulnerability process. Forty-two per cent quantified the improvement as reducing the time they spent on patching, while 33 per cent identified the improvement as making their patching process more succinct and 18 per cent believed they were able to reduce the number of employees they assign to patching. However, more than 50 percent of IT administrators want vendors to take a more flexible approach to releasing patches for zero-day exploits and maintain a monthly patch release date for unexploited vulnerabilities.

IT managers would consider using zero-day third-party patches

With zero-day exploits on the rise, the release and deployment of third-party patches are becoming more accepted, but many IT professionals still express reservations about this approach. According to the survey, 45 per cent of global respondents would consider using a third party patch, while the majority, 55 per cent, would not. In the UK, 69 per cent of respondents dismissed third party patches as a resolution to zero day threats.

In the case of the zero-day Microsoft WMF exploit that occurred in January 2006, only 13 per cent of organisations deployed the unofficial third party. While 21 per cent of organisations applied the early release of the Microsoft patch, the majority of PatchLink customers (66 per cent) waited until PatchLink released the tested and approved Microsoft patch.

Process and prioritisation most effective against zero-day threats

The survey also identified strategies IT professionals find most helpful for mitigating the risk of the shrinking time-to-exploit cycle. 44 per cent of IT professionals find an established process to identify critical systems impacting all business applications most helpful, while 27 per cent identified prioritising risk by asset classification as helpful and 22 per cent found that grouping patches by device helped them ward off zero day threats.

“The emergence of new threats combined with a shrinking vulnerability window is driving more organisations to implement proactive security measures,” said Howard Schmidt, former White House Security Advisor and PatchLink Board of Directors. “This trend truly resonates with PatchLink customers as the majority have expressed that an automated, manageable patching process and customizable prioritization is key to protecting their networks against zero-day threats.”

Speeding patch deployment

With an ever increasing number of web-based applications and browser vulnerabilities, IT professionals are under increased pressure to deploy patches on tight deadlines – leading 65 per cent of IT professionals to agree an internal deadline for non critical patch deployment. 9 per cent of organisations must deploy newly released patches within 72 hours of release, 22 per cent set a time frame of between two to five days and 30 per cent of organisations defined their roll out time frame for between one to eight weeks and 3 per cent aimed to deploy their patches with two months.

In the case of critical patches, 14 per cent of organisations execute the patch roll out to all work stations within 2 hours, while 39 per cent of organisations ensure that the patches are applied within 8 hours.

“With the average time between vulnerability discovery and the release of exploit code at less than one week, enterprises need fast, coordinated patch processes,” said Andrew Jaquith senior analyst at Yankee Group. “The survey results show that PatchLink customers are able to test and deploy patches in hours, not days — thus helping to close a critical window of vulnerability.”

“Patchlink has revolutionised the way we deal with patching our estate, and is definitely the finest tool that I´ve ever worked with,” said Mark Grindrod, Head of Desktop Engineering at IPC Media.

“Ninety two per cent of our customer say they are more secure now than a year ago, validating how effective PatchLink solutions work for them,” said Alan Bentley, MD of PatchLink EMEA. “While zero-day threats ranked the biggest challenge facing the patching process, the survey shows customers are taking a more proactive approach to effectively defending their networks against zero day exploits through process and prioritisation. By implementing a fully automated patch management solution, our customers’ networks are fully secure.”

Leave a Reply