E-Eye 2011 VM Trends Report

A new vendor survey from eEye Digital Security has found many organizations are still struggling to deal with patch and configuration management issues and are often lacking efficient processes and tools to deploy patches to systems and applications in a timely manner.  The time it takes to assess and test patches can make staying on top of the patching cycle exceedingly difficult.  It is imperative to develop a method to prioritize patches and test them to ensure they don’t break any critical systems or fragile artifacts.  Standard practice is to assign each CVE record a risk score based on the vulnerability’s characteristics, combined with a risk score based on the sensitivity of the system being considered for receiving the patch.  This is NEVER a simple formula, requires in-depth knowledge of the environment, and I don’t know a single company in the world that doesn’t struggle with these patching issues.

The 2010/2011 survey of nearly 2,000 IT security professionals finds that a majority of medium-to-large organizations have vulnerability management processes in place to tackle Microsoft Windows monthly patch releases, but are still struggling to deal with so called zero-day vulnerabilities, and are lacking the staff to effectively test and deploy updates to other systems and applications.  Smaller businesses are even less prepared.

This poses a real challenge from a security perspective; there are many important security initiatives that need consideration, and IT is often buried in other projects, improving the efficiency, resilience and effectiveness of the business.  Remediation activities make a lot of IT resources unavailable for a considerable amount of time.  Some organizations simply don’t have enough staff to keep up with the requests.  A majority of companies have more than 100 applications deployed in their networked environments.  According to the stats highlights, 60% indicate that up to 25% of their deployed apps have unpatched vulnerabilities. That is a lot of exposed attack surface for attackers to exploit for network access.  Unfortunately, this stat is somewhat misleading, since it is for those who believe they have ZERO to 25% unpatched.  Zero should be a separate metric…

  • 85% of those surveyed indicate that their IT staff is too busy managing and maintaining regulatory compliance to deal with a holistic vulnerability management effort. 
  • Approximately 50% said regulatory compliance initiatives take up to half of their work weeks.

Let that sink in a second.  Half the workweek spent on compliance issues.  So, companies are stuffing money into their pockets, and relying on swiss cheese systems to keep that money from dropping out of the holes.  And we wonder why there are hacking incidents?  Why do thrill seekers climb mountains?  Because they are there, and they pose a challenge!  Why do people rob banks?  Because that is where the money is!  Why do criminals hack into businesses so foten?  Because that is where the money is, where the controls are weak, and the risk of getting caught is low! 

The trend of increasing smartphone and other mobile device penetration into the network adds to the complexity of ensuring systems are kept up to date. 31% indicated they don’t have enough personnel to handle these increased patching demands.

Some of the statistical highlights from the survey reveal the following:

  • IT security manages vulnerabilities across hundreds of applications
    • 73% have as many as 100 applications deployed
    • 18 percent have more than 200 deployed
  • Zero-Day threat identification is difficult
    • 81% ranked the degree of difficulty of Zero-Day identification as between 3 and 5 out of 5 (most difficult)
    • 20% ranked it as a 5
  • Application vulnerabilities need more of IT’s attention
    • 60% indicated that as many as 25% of their applications have unpatched vulnerabilities
  • Personnel shortages, mobile computing and zero-days challenge their patching processes

Many organizations use free Windows Update or WSUS from Microsoft.  Larger firms tend to rely on a third-party vulnerability management service or commercial product to help with patch deployment issues.  Generally, centralized vulnerability management helps alleviate some of the pain by linking together vulnerability management, patch management, configuration management, and change management processes.  Automate wherever you can, and document your processes for your own sanity, audit, and repeatability.