Recently, I was asked the question: “How would you characterize the traditional patch management space compared to how the market is evolving?”
This was my answer:
Patch management is a discipline that’s not evolving as fast as the markets. The main reason is that, as a rule, discussions about evolving patch management practices don’t get support from senior management, therefore end up not being prioritized by IT professionals. The root cause of this challenge is in the fact that patch management is traditionally an IT Operations function and rarely treated as an integral part of a IT security strategy. This vision is contradictory though, considering that patch management is known to be the single most effective way to prevent exploitation of vulnerabilities, and the exploitation of software vulnerabilities is one of the top means for external intrusion. Additionally, it is known that applying patches before risk increases should be possible.
Here are some facts that confirm my points:
- 99 percent of exploitation targets are publicly known vulnerabilities. That means vulnerabilities are known, not only to hackers, but by users and system administrators long before they are exploited.
- Patches are available for most vulnerabilities at the day they become public. Our research shows that, on average, over 80 percent of vulnerabilities have a patch within 24 hours of public disclosure.
- The majority of first exploitation happens long after the vulnerability becomes public.
Despite this knowledge, we continue to see high profile attacks targeting known vulnerabilities. That’s the case in the WannaCry ransomware attack and the breach of Equifax, to mention two cases with broad media attention in 2017. Both of them started more than two months after the vulnerability – and the patches for the affected versions – were made public.
Those facts confirm the need for more attention to patch management practices as an effective way to close the window of opportunity for hackers and keep businesses and users protected.
Addressing the challenges of managing software vulnerabilities is our “raison d’être”. The Secunia Research team works relentlessly to deliver the best intelligence that feeds our vulnerability and patch management solutions. Our customers are empowered to patch the right things, before hackers can exploit them.
Contact us, if you would like to learn more about how our customers use our solutions to prioritize their work and reduce risk.