icetray - Fotolia

Half of IT professionals struggle with enterprise patching

Many businesses struggle with the volume of software security updates and believe IT teams do not understand the difference between applying a patch and remediating a vulnerability, a survey has revealed

Patch management plays a critical role in minimising enterprise information security risk, but many businesses struggle to keep up with software updates.

A survey of more than 480 IT professionals revealed that half of respondents struggle to keep up with or feel overwhelmed by the volume of patches at times.

Half of respondents also believe that client-side patches are released at an unmanageable rate and that their IT teams do not understand the difference between applying a patch and remediating a vulnerability, according to the study by Dimensional Research and the Vulnerability and Exposure Research Team (Vert) at security firm Tripwire.

While 43% of respondents said their IT teams have difficulties understanding the difference between applying a patch and resolving a vulnerability, 7% of respondents were themselves unaware of any difference between the two.

"The relationship between patches and vulnerabilities is far more complex than most people think," said Tim Erlin, director of IT risk and security strategist for Tripwire.

"Sometimes patches fix multiple vulnerabilities on specific platforms, but not others. There can be confusion between patches and upgrades, or patches and upgrades may address different, but overlapping, sets of vulnerabilities," he said.

Patch management versus vulnerability management

The study report said that while patch management usually looks at software supplier bulletins or individual patches, vulnerability management breaks patches and bulletins down to the individual vulnerabilities.

As the complexity of patch management continues to evolve, it has become more difficult for enterprise patch management teams to achieve and maintain a fully patched state

"A proper enterprise patch management programme should utilise both vulnerability and patch management tools to ensure a holistic solution," the report said.

According to Erlin, as the complexity of patch management continues to evolve, it has become more difficult for enterprise patch management teams to achieve and maintain a fully patched state.

In 2015, Microsoft released 535 patches across 122 platforms resolving 501 vulnerabilities.

"For the vendor deemed easiest, there were basically 1.5 patches per day in 2015," said Erlin, adding that if only a fraction of those patches involve some level of complexity, it is an unmanageable burden on organisations that just want to keep doing business securely.

Read more about patch management

The survey also found that at least some of the time, 67% of respondents said they have difficulty understanding which patch needs to be applied to which system, while 86% said embedded products such as Adobe Flash patches released with Google Chrome updates make it more difficult to understand the impact of a patch.

Patch fatigue a widespread problem

Tyler Reguly, manager of Tripwire Vert, said while those undertaking the research expected patch fatigue to affect a small portion of the industry, they found instead that it is a "broad, sweeping issue affecting a wide range of organisations".

The study report concluded that the first step in resolving patch fatigue is identifying it and identifying potential points of failure and stress.

"Patch fatigue is very real for many organisations, and resolving it will lead to happier, more productive employees and, ultimately, more secure environments," the report said.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

3 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close