A practitioner's perspective on the problems with patching and what to do about it
Is application security falling apart at the digital seams? There’s a patch for that—but by the time your IT teams have put it in place, it may be too late.
Try as they might, patch managers fail and fail again to apply needed repairs to third-party application vulnerabilities quickly enough to keep scheming hackers at bay.
Hiring or training staff doesn’t appear to help: as with adding traffic lanes to a crowded thoroughfare that soon fills up with more cars, devoting more people and hours to patching doesn’t clear the ever-growing patch backlog.
That’s because hackers work 24/7 and patches are released around the clock. Unfortunately, deploying those changes is a lot more complicated than deploying a quick fix and expecting all to be well.
Pressed by the need for speed but hindered by complex processes, IT workers might feel tempted to cut corners—with potentially disastrous results. Cybercriminals know almost before anyone else where software vulnerabilities lie and how to exploit them, and they will, given an improperly patched application or untimely delay.
In fact, some 60 percent of data breaches over the past two years might have been avoided with timely patching. With about half of companies reporting at least one breach during that time, we’re talking about a pervasive and systemic problem.
Companies know the dangers of falling behind. So do overworked patching and deployment teams. Yet they still cannot keep up, costing enterprises money, customers, reputation, and legal exposure.
Why is third-party patching so hard? The reasons are many and inter-related. In the end, it all comes down to complexity.
Fortunately, there are solutions that can save organizations the patching headaches they have been facing for years.
Third-party application patching matters – big time
Using software supplied by other companies has become the norm among businesses of every size. Third-party applications provide us with everything from email to endpoint management.
As operating systems have become more secure, malicious actors are seeking other unlocked doors into enterprises and their data. They’re finding ways in through unpatched apps.
The consequences could be dire, even lethal. An attack on a healthcare provider, for instance, can paralyze systems and delay or interrupt critical patient services.
Scripps Health in San Diego had to take parts of its IT system offline for several weeks after a 2021 ransomware attack and even sent some patients to other hospitals. Postponed surgeries and canceled appointments also hit patients of the Waikato Hospital system in New Zealand as well as the Irish Health Service after ransomware attacks that same year.
These attacks haven’t been definitively linked to patching fails. But healthcare organizations that fall behind in patching are seven times more likely to suffer a ransomware attack, one study shows.
"If security isn’t a great enough concern to cause your enterprise to find a solution to the patching problem, compliance might be."
If security isn't a great enough concern to cause your enterprise to find a solution to the patching problem, compliance might be. Governments are snapping to and insisting on timely patches.
Two examples: The U.S. Department of Homeland Security now requires federal agencies and contractors to patch critical vulnerabilities within 15 days and high vulnerabilities in 30 days. The UK’s Cyber Essentials has a similar requirement for UK government contractors. Where the federal government leads, state and local governments as well as the private sector often follow.
6 reasons why patching is so difficult:
Every company has its own reasons for poor patch management, and I’ve heard a lot of them. Between the companies I have worked for, and the many enterprise companies I have supported during my time at Adaptiva, here are six of the most common difficulties I’ve observed.
1. Employees are overwhelmed
Unfortunately adding more employees won’t necessarily help. There is more to the solution than just hiring additional staff. IT professionals need better tools and training to do their jobs.
Updating and patching external applications is in itself a Sisyphean task given that these patches come in faster than they can be applied. By the time a patched version of an application is fully deployed it might already be outdated, supplanted by another new version with more patches.
The only tenable way to handle the backlog, for most, is to prioritize according to (1) how many people in the company use the app in question and (2) how severe the security vulnerability is. Hackers will often target little-used applications for this reason: they tend to fall lower on the priority list, which increases the likelihood that intruders will be able to sneak in before the patch gets applied.
2. More people are working from home.
As enterprises know, the move to remote work has caused a lot of security headaches, in part because employees often prefer to use their personal devices for work. Even where companies discourage BYOD people do it, anyway, if it’s more convenient—and who’s to stop them?
Undetected, unprotected and even unmonitored by corporate security, these off-premises devices are much easier for hackers to breach—you can’t patch what you can’t see. And with IT staff also working remotely, they’re almost certainly going to have a harder time collaborating, which is essential for patch deployment.
3. IT teams work disjointedly rather than as a unit
The team responsible for flagging software vulnerabilities may not be the same team that will patch that software. Vulnerability management typically is an IT security task; patching desktop computers might be the job of the desktop team, IT operations, or IT service management.
These disconnects can interrupt workflow, hinder effective communication, and cause even more friction and delays in the patching process.
4. Change management processes take time—and they can be ponderous
A colleague of mine who worked for a manufacturing company had to go through a change process with 42 different approvers – all of whom had to sign off on the change before the product could go live.
When a critical issue poses an immediate threat to your enterprise, this type of delay could be disastrous. And it may not even be necessary: the policies slowing you down may be outdated.
You may be required to consult with the technology team before installing security updates, for instance, an edict hearkening back to a time when IT approval was necessary for your company’s security.
Now the technologies your company uses would validate the update, allowing your teams to do this job without IT approval, but the old rule still stands. Timely patches face delays for no good reason except that, "It’s always been done this way."
5. Patches aren’t always perfect
The corrected software you receive may, itself, be flawed. Maybe, as happened in the now-famous Solarwinds hack, the update has already been compromised and waits for your deployment for criminals to gain access to your systems.
Knowing the potential risks in each patch and update, many IT teams are loath to simply "plug and play", even if it saves them time. They want to check each patch for safety, which usually involves observing it on several systems and testing for bugs before putting together a patch status report manually. All this checking, testing, and report compiling requires precious time.
6. Patching involves many manual processes
These can take a lot of time to complete. A company might use multiple applications and need to apply many patches daily—hundreds, in the case of larger organizations. Not only are there the security concerns I’ve noted above, but compatibility tests can take days, as well.
And then, because some companies release patch after patch after patch, your teams have to determine whether the metadata they’re looking at applies to the patch they’re wanting to apply, or to a different version. All told a single patch can require as many as two weeks to deploy—and that’s if all goes smoothly.
With all these twists, turns, hoops, and obstacles, it’s a wonder patching happens at all. As technologies proliferate—along with the software to run them—the problems with patching are certain to multiply, as well.
Automation to the rescue
Clearly, the exigencies of patch management are too complex for manual processes. Your IT people only have so much capacity to juggle a dizzying and even befuddling array of tasks.
But for every problem technology creates, technology also tends to provide a solution—and patching is no different.
Advances in technology such as artificial intelligence and machine learning make patch automation faster, smoother, and easier than ever.
In fact, using automation to investigate and remediate vulnerabilities and attacks could reduce the average cost of a breach by 25% – some $450,000 a year – a recent Ponemon Institute survey shows.
A truly automated patch management solution can move you through the many steps of patch management with almost no human intervention. It can even deploy multiple patches simultaneously, and in a fraction of the time manual processes require—shaving the time to deployment from weeks to minutes, letting your teams focus on more strategic tasks.
Learn more about Adaptiva’s OneSite Patch solution.
Take the manual work as well as the guesswork out of third-party application patching. Our user-friendly platform lets you program in patches with ease for a large and growing catalog of software brands and lets you stipulate what gets deployed depending on urgency, individual departmental requirements, preferred maintenance windows, and testing. Any templates you build are stored for review, execution, or future deployment.
Third-party application patching, essential to enterprise security, poses enormous challenges to IT teams and your organization—but it doesn’t have to. Learn how to protect yourself by understanding just how easy it is for hackers to infiltrate your network by watching our on-demand Autonomous Patch Virtual Launch Event webinar with Kevin Mitnick and Bryan Seely.
This is the first entry in our new Adaptiva Practitioner Blog Series. In these blog posts, we will be sharing what we know about managing endpoints. Stop by to hear from our own in-house subject matter experts. We are excited to discuss best practices, technical how-tos, and other topics we think you'll find valuable. Our solution architects, product experts, and own IT practitioners have seen and done it all. We are adding new content regularly and are happy to have you here.