icetray - Fotolia
Patch management plays a critical role in minimising enterprise information security risk, but many businesses struggle to keep up with software updates.
A survey of more than 480 IT professionals revealed that half of respondents struggle to keep up with or feel overwhelmed by the volume of patches at times.
Half of respondents also believe that client-side patches are released at an unmanageable rate and that their IT teams do not understand the difference between applying a patch and remediating a vulnerability, according to the study by Dimensional Research and the Vulnerability and Exposure Research Team (Vert) at security firm Tripwire.
While 43% of respondents said their IT teams have difficulties understanding the difference between applying a patch and resolving a vulnerability, 7% of respondents were themselves unaware of any difference between the two.
"The relationship between patches and vulnerabilities is far more complex than most people think," said Tim Erlin, director of IT risk and security strategist for Tripwire.
"Sometimes patches fix multiple vulnerabilities on specific platforms, but not others. There can be confusion between patches and upgrades, or patches and upgrades may address different, but overlapping, sets of vulnerabilities," he said.
Patch management versus vulnerability management
The study report said that while patch management usually looks at software supplier bulletins or individual patches, vulnerability management breaks patches and bulletins down to the individual vulnerabilities.
"A proper enterprise patch management programme should utilise both vulnerability and patch management tools to ensure a holistic solution," the report said.
According to Erlin, as the complexity of patch management continues to evolve, it has become more difficult for enterprise patch management teams to achieve and maintain a fully patched state.
In 2015, Microsoft released 535 patches across 122 platforms resolving 501 vulnerabilities.
"For the vendor deemed easiest, there were basically 1.5 patches per day in 2015," said Erlin, adding that if only a fraction of those patches involve some level of complexity, it is an unmanageable burden on organisations that just want to keep doing business securely.
Read more about patch management
- Expert Earl Follis explains how to effectively evaluate and purchase automated patch management products for your enterprise.
- Every IT pro knows it's important to install critical patches to virtual machines in a timely manner, but what about the less serious updates?
- Despite the plethora of software updater products, desktop security is too important to leave to chance.
The survey also found that at least some of the time, 67% of respondents said they have difficulty understanding which patch needs to be applied to which system, while 86% said embedded products such as Adobe Flash patches released with Google Chrome updates make it more difficult to understand the impact of a patch.
Patch fatigue a widespread problem
Tyler Reguly, manager of Tripwire Vert, said while those undertaking the research expected patch fatigue to affect a small portion of the industry, they found instead that it is a "broad, sweeping issue affecting a wide range of organisations".
The study report concluded that the first step in resolving patch fatigue is identifying it and identifying potential points of failure and stress.
"Patch fatigue is very real for many organisations, and resolving it will lead to happier, more productive employees and, ultimately, more secure environments," the report said.