Combating Patch Fatigue
Total Page:16
File Type:pdf, Size:1020Kb
WHITE PAPER Combating Patch Fatigue Are we overwhelming IT to the detriment of enterprise security? AUTHORS: Lane Thames, Security Researcher, Tripwire Tyler Reguly, Manager, Security Research, Tripwire FOUNDATIONAL CONTROLS FOR SECURITY, COMPLIANCE & IT OPERATIONS A vulnerability is a bug or flaw in software or hardware that can be employ to lessen the pain of Patch exploited for malicious gains. In order to avoid miscommunication and Fatigue. facilitate coordinated discussion, MITRE maintains the CVE (Common Setting the Stage Vulnerabilities and Exposures) database, which establishes a naming Patch management is the process of standard for all vulnerabilities. In 2015, over 6,000 new CVEs were acquiring, testing and installing soft- assigned. If only one-tenth of those vulnerabilities affected devices in your ware patches for information technology assets. Patch management plays a area of responsibility, you would have been responsible for resolving 630 critical role in maintaining the overall vulnerabilities annually or 2.5 vulnerabilities each business day. security posture for enterprise informa- tion technology systems. Unfortunately, The logical response is that a single On top of the negative impacts to it seems like every day we hear about a patch generally resolves multiple employees, overburdened IT and secu- new data breach, many of which occur or vulnerabilities. Take, for example, MS15- rity teams lead to poor security hygiene escalate due to improper patch manage- 112, the November security bulletin for within the enterprise. If teams cannot ment. Moreover, the footprint of assets Internet Explorer, which resolved 26 vul- install security patches as quickly as that IT departments have to manage is nerabilities. It’s all too common to hear they are released then vulnerabilities exploding due to business needs revolv- the statement, “just apply the MS15-112 will linger, providing additional attack ing around new technology trends such patch.” This statement leads to the vectors for malicious actors to use as mobile computing and the Internet assumption that a single patch resolves during a data breach. This can result is of Things. Given the constant flux of multiple vulnerabilities. While it’s true substantial losses, as a report1 by IBM new security events happening across that the application of a single patch will indicates that the average cost of a data the globe along with rapidly changing resolve multiple vulnerabilities, within breach is $3.8 million. environments of modern day IT sys- MS15-112 there are 32 patches available tems, we should evaluate the current for download and four more that are Employees that find themselves over- state of affairs with respect to patch referenced. If we assume that this is burdened by their workload tend to be management. normal, we can then conclude that there stressed and anxious according to a report published by Workforce2. This To begin this study, we considered are more patches issued annually than the amount of workload required to there are vulnerabilities. stress decreases employee productivity and leads to a loss of talented, skilled maintain patches for a “gold” desktop These numbers bring us to the concept employees. According to WebMD3, image representing a typical enterprise of Patch Fatigue, which can be summed stress can lead to heart disease, workstation. The gold image contained a up in a single question: Are we overbur- asthma, obesity, diabetes, headaches, collection of baseline software common dened with patches? depression, and a number of other to many enterprise organizations. Next, health-related issues. In a follow-up we calculated the number of security Based on a recent survey we conducted report4 published by Workforce, of 483 IT professionals who are involved they showed that employees that are in the patch management process stressed and feeling pressured are across organizations of all sizes, the generally unhappy and end up looking at Security Patches answer is a resounding “yes.” Here are Software other employment opportunities where Component in 2015 some of the data points that led us to their happiness will increase. this conclusion: Windows 7 120 With the impact of Patch Fatigue clearly Internet Explorer 13 » Almost 20 percent of organizations defined and rather self evident, we Chrome 16 manage their patching process will take a look at the reasons for and Microsoft Office 2013 without patch management software 13 causes of Patch Fatigue in the remain- Professional » Nearly half of all individuals surveyed der of this white paper. More specifically, Oracle Java 4 admit that at times they struggle we will investigate the historical trends to keep up—or find themselves in patch management and the current Adobe Flash 13 completely overwhelmed with the shifting trends across vendors. We also Adobe Shockwave 3 volume of patches released highlight a number of factors contribut- Microsoft Silverlight 3 » More than two-thirds of organizations ing to patch fatigue on both the vendor Adobe Reader 3 surveyed have fewer than five people and enterprise sides of the equation. actively involved in their patch Finally, we offer a number of solutions management process that both vendors and enterprises can Table 1. Security patch statistics for the gold image patches released for each software ele- ment in 2015. In this white paper, we are concerned mostly with security-based patches. We defined a security patch as a patch that addresses at least one known vulnerability. The results are shown in Table 1. This very basic enterprise desktop configuration required a total of 188 security patches during 2015, or approx- imately 15 security patches per month. Fifteen security patches per asset per month can accumulate rapidly for orga- nizations with a large number of assets. For example, 46 percent of our survey respondents were responsible for a Fig. 1 Tripwire Log Center screenshot showing the creation of a correlation rule that number of IT endpoints ranging from correlates five failed logins to a successful login and to modified user privileges. 500 to 5000. Organizations have software footprints based on business needs. Respondents were asked about their involvement with security patching for various types of software used within their organization, and these results are shown in Figure 1. Microsoft Windows, Microsoft Office, Adobe Flash Player, Adobe Reader, Oracle Java, VMware vCenter and Google Chrome ranked the highest in terms of our respondents’ patch man- agement responsibilities. As a result, we will dig deeper into these various products throughout the remainder of this white paper in order to better Fig. 2 Rank of platforms by patching ease understand Patch Fatigue. Given the wide array of products that to see the overlap for Microsoft Windows with each platform, as described by make up the modern IT ecosystem, we and VMware vCenter, which made it into the rankings from Figures 2 and 3, one asked respondents about their comfort both top five lists. When comparing the observation is immediately obvious: levels in terms of patch management. results, we see that overall Microsoft Patch difficulty is not a result of the Particularly, we asked respondents Windows is viewed as the easiest number of patches per year. For exam- to rank various products in terms of platform to patch. Conversely, Oracle ple, Oracle Database had substantially those that are easiest to patch and database “won” for the most difficult fewer patches than Microsoft Windows those that are hardest to patch. Figure platform to patch. in 2015, yet it ranked as the most diffi- 2 shows how respondents rank the cult platform to patch, while Microsoft Now that we have an understanding of easiest to patch platforms, and Figure Windows ranked as the easiest. how difficult various platforms are to 3 reveals how respondents rank the patch, let us consider the relationship hardest. According to the results, the between difficulty and patch quantity. Structured Patch Release top five easiest platforms to patch are For this, we evaluated the top five plat- Cycles Microsoft Windows, Google Chrome, Red forms and calculated the total number of One of the more interesting patch man- Hat Enterprise Linux, WordPress and patches delivered for them in 2015. The agement changes over the past decade VMware vCenter. The top five hardest results are provided in Table 2. has been the introduction of the struc- platforms to patch are Oracle Database, tured patch release cycle. Microsoft Oracle Java, Cisco IOS, VMware vCenter When coupling the data from Table 2 introduced the world to the concept and Microsoft Windows. It is interesting with the difficulty levels associated of structured patch release cycles in October 2003 when they launched Patch Tuesday. This regular cadence allowed enterprises to plan and schedule their updates. Some companies even intro- duced the concept of “Patch Saturday,” a day IT teams set aside two weeks after patches are released to regularly install needed updates. A couple of years after Microsoft started with a structured cycle, Oracle joined the game, announcing in 2005 quarterly updates. In 2008, Cisco joined in by ini- tiating biannual updates for IOS. Adobe, who has become closely entwined with Microsoft, started following Microsoft’s Patch Tuesday schedule in late 2012. Fig. 3 Rank of platforms by patching difficulty While Adobe doesn’t strictly abide by this schedule and unscheduled updates still discontinue the advanced notification, and then release