News: 1721892426

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Patch management still seemingly abysmal because no one wants the job

(2024/07/25)


Comment Patching: The bane of every IT professional's existence. It's a thankless, laborious job that no one wants to do, goes unappreciated when it interrupts work, and yet it's more critical than ever in this modern threat landscape.

So color this vulture surprised to learn that, in the decade since he left an IT career for wordier pastures, things haven't really improved much – either in terms of patching rates or how rough it is for the people doing it.

"Patching is still notoriously difficult," Forrester principal analyst Andrew Hewitt told The Register . Hewitt, who specializes in IT ops, said that while organizations tend to strive for a 97 to 99 percent patch rate, they typically only manage to successfully fix between 75 and 85 percent of issues in their software.

[1]

"That's not where you want to be from a compliance perspective," Hewitt added.

[2]

[3]

Has anything improved lately? No, says Forrester senior analyst Erik Nost, who also spoke to The Register about patching from the security perspective. Nost observed that if anything has improved in the past decade, it's the business side – finally understanding how critical it is to keep systems updated.

"There seems to be a bit more of an understanding of the necessity of it," Nost noted, with corporate leadership more aware of how poor patching can lead to expensive malware infections or other security snafus. Nost told us around 79 percent of security leaders say their business bosses view patching disruptions as a "necessary inconvenience" – which has been helped by better education from security and IT teams.

[4]

Patching challenges, however, haven't changed much. If anything, the situation has actually become worse.

Applying Windows updates isn't what a lot of people have signed up for

"People don't take jobs in IT operations to sit and update systems all day," Nost said. "They take those jobs to work on cool projects and cutting-edge technology. Going through and applying Windows updates isn't what a lot of people have signed up for."

Coupled with an exploding ecosystem of third-party apps, endpoint management tools that aren't really designed to handle patch management, bandwidth issues (exacerbated by the pandemic shift to remote work), and architectural challenges, IT teams have "an overwhelming amount of work to do," Hewitt told us.

He's not pulling those challenges out of nowhere, either. Endpoint management biz Adaptiva revealed in its 2023 state of patch handling [5]report [PDF] that the average organization manages around 2,900 software applications, and 69 percent of IT teams believe it's impossible to get all of them patched on schedule.

That is to say, good administrators know they need to patch security flaws and similar critical issues, and try to get these updates tested and deployed as fast as reasonably possible before someone takes advantage of them. It's just that life is never that easy, and there are all sorts of factors in the way.

[6]

Adaptiva's study, for instance, cited an increasing number of apps being installed on the average endpoint, the relatively low bandwidth for remote patch deployments, and the other issues that Hewitt pointed out.

And while it's important to note Adaptiva has some skin in the game, given it sells software to automate patching, its figures don't seem off compared to others in the industry.

Meanwhile, vulnerabilities proliferate

Where there are unpatched systems there are unfixed vulnerabilities – and there's no shortage of malware coded to exploit them.

You'd hope that, if patching hasn't become easier, then at the very least the difficulties would be constant – but that's not the case, according to Nost. The tech industry has become overwhelmed by vulnerabilities to the point where it can't keep up, he said, pointing to NIST's massive backlog in vulnerability processing that's been [7]ongoing since [8]February .

[9]Uncle Sam to inject $50M into auto-patcher for hospital IT

[10]Firms skip security reviews of major app updates about half the time

[11]CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear

[12]Military helicopter crash blamed on failure to apply software patch

"Without a CVE, it's hard to tie a vulnerability to a patch that needs to be done," Nost stated, "and it's all downhill from there."

He warned the situation has only been made worse by "security researchers looking to get a big hit" by finding a headline-grabbing critical vulnerability, which has made it harder to tell a major risk from a niche issue. If every other bug has a logo, a dedicated website raising the alarm, and an exclusive interview about it all with a media outlet, it's a pain for IT pros to figure out which ones to prioritize. CVSS severity scores [13]only go so far.

What is to be done?

If we know patching is still a hassle, and hasn't improved much over the years, surely we can do something about it?

While they have some different approaches to make patching more efficient, Hewitt and Nost agree that one of the biggest reasons it continues to be such a headache is a lack of ownership. Security teams and IT operations teams jostle to offload responsibility for the task. Layoffs and downsizing complicate matters further.

"You can open a Jira ticket and send it to [your IT ops team] or whoever, but who's the sysadmin or who's the business owner that is actually responsible for patching this? That gets even more complicated as you start to find application-level vulnerabilities," Nost explained.

"Defining that [responsibility] is still very, very difficult. That's where I would say a lot of folks still spend a lot of time figuring out vulnerability management from a day-to-day perspective," he added.

Hewitt said much the same, and opined that the only way over that hurdle is to get IT ops and security teams on the same page – and it needs to be IT ops driving the process, as far as he's concerned.

Security professionals, rejoice.

"Patching capabilities are resident within IT operations tools," Hewitt noted. "Whether you're using Microsoft, Ivanti, Tanium, or whatever, patch management capabilities are in the IT ops tools."

He said update responsibilities are further confused by too much siloing of data in enterprises, which leaves various teams working with different sets of data.

"Oftentimes you have one platform for vulnerability management and another for patch management with no common dataset underneath," Hewitt told us, adding that several IT products are already moving in that direction.

You have one platform for vulnerability management and another for patch management with no common dataset

"A lot of the endpoint management tools are building unified vulnerability and patch management capabilities, so I see a future trend toward trying to make that easier when it comes to user endpoints," Hewitt predicted.

Nost believes many of the patching problems people are experiencing can be solved through modern automation tools, but he added that many organizations have been hesitant to adopt them – in part because of the aforementioned issues surrounding ownership of patching responsibilities.

Additionally, Nost said many enterprises still want hands-on control over patching, which Hewitt told us is perfectly reasonable. He believes having a human in the patching loop is essential, no matter how automated things get.

"There are some things you can take a hands-off approach to, especially when they're smaller updates," Hewitt noted. "But I think this whole [14]CrowdStrike outage is waking a lot of people up to how dangerous it can be to automate updates."

Both analysts we spoke to for this piece agreed that, while patching posture continues to be poor across the business world, for some understandable reasons, it doesn't necessarily need to be. The tools to make things easier are out there – be they improvements in automation or visibility enhancements in newer endpoint management products – but enterprises need to actually use them.

It's a very unsexy thing to work on, nobody wants to do it

"I think it mostly comes down to technical debt," Hewitt explained.

"It's a very unsexy thing to work on, nobody wants to do it, and everyone feels like it should be automated – but nobody wants to take responsibility for doing it," Hewitt added. "The net effect is that nothing gets done and people stay in this state of technical debt where they're not able to prioritize it."

"Hopefully this CrowdStrike thing will help," Hewitt concluded.

Given what this [15]ex-IT scribe has seen of the state of patching compared to a decade ago, he's not going to hold out hope that the CrowdStrike [16]outage actually motivates people.

It's up to IT teams to prove otherwise – and boy, I'd love to be proven wrong. ®

Get our [17]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqIiRwAb60NhoTjbYU2g9AAAAMU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqIiRwAb60NhoTjbYU2g9AAAAMU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqIiRwAb60NhoTjbYU2g9AAAAMU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqIiRwAb60NhoTjbYU2g9AAAAMU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://adaptiva.com/hubfs/Infographics/Adaptiva-State-of-Patch-Management-Infographic.pdf

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/malwaremonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqIiRwAb60NhoTjbYU2g9AAAAMU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/06/03/nist_cve_backlog/

[8] https://www.theregister.com/2024/03/22/opinion_column_nist/

[9] https://www.theregister.com/2024/05/22/50m_investment_hospital_security/

[10] https://www.theregister.com/2024/07/18/security_review_failure/

[11] https://www.theregister.com/2024/07/19/crowdstrike_windows_kettle/

[12] https://www.theregister.com/2023/04/18/helicopter_crash_missing_software_patch/

[13] https://www.theregister.com/2022/01/19/twitter_cvss_vulnerabilites/

[14] https://www.theregister.com/2024/07/25/crowdstrike_timeline/

[15] https://www.theregister.com/Author/Brandon-Vigliarolo

[16] https://www.theregister.com/2024/07/24/crowdstrike_preliminary_incident_report/

[17] https://whitepapers.theregister.com/



A couple of things strike me here...

Bebu

Having security, system administration and operations siloed invariably means the duck gets well and truly shoved.

From my own experience dealing the various concerns of each as a unified whole leads to more optimal prioritization of rectification task with some symbioses - shooting more than one duck with a single round. Also a single reporting structure limits the quantity of duck shoving possible.

The complaint about the ever increasing number of applications installed on "end points" outrunning the capability of securing and maintaing them also makes me question whether the system architecture is well matched to these objectives.

In this context "end point" seems to mean both desktop and server machines (cf OSI End System (ES) v. Intermediate System (IS)) but the desktop systems are likely the most problematic which leaves me wondering whether dumb clients that basically just do I/O over secured channels might be ready for a renaissance. Places almost all the load on servers (these days likely to be cloud/cluster anyway) but does significantly increase manageability and potentially security.

Let's just ignore the elephant in the room shall we?

StewartWhite

What the article and all of these reports completely fail to even mention is that patching should be an exception to the rule. Why have we (IT as well as "the business") allowed ourselves to think that having endless patches is the answer to the problem? Microsoft et al are allowed to get away with writing dismal quality code that has systemic flaws (e.g. let's require AV tools that mess about at kernel level because security is such a tedious subject - CrowdStrike anybody?).

I attended a cybersecurity/finance conference a few weeks ago which was profoundly depressing as all of the vendors were boasting about how much more money they'll be making as they add yet more levels of snake oil (AI just being the most obvious) whilst casually stating that the security situation was only going to get worse but they didn't care, just think about those lovely $$$$$!

How about people in the IT world stating some home truths the next time somebody in the deified "business" asks for something stupid to be completed by yesterday. If they whinge to the board, just mention "Blockchain" (substitute AI or another mot de jour as appropriate) and ask them exactly how much money they spaffed on it for absolutely zero return.

The current setup isn't working and is getting worse with no possibility of a solution unless we opt for radical change, e.g. let's put Agile out of its misery as it's just a cargo cult for "design" by committee.

ChoHag

Your rate of internal systems churn necessarily follows the rate at which your vendors improve (or just fix) their products. How could it be any other way? If you choose a vendor which requires a weekly cadence that's on you.

Lee D

Push the patches, it breaks the system, you get blamed.

Don't push the patches, the system gets compromised, you get blamed.

The only way to break that deadlock is PATCHES THAT DON'T BREAK THE SYSTEM.

i.e. vendors need to test their damn patches and not release them, and patches need to be the absolute minimum necessary to resolve the problem to ensure minimal impact - NOT bundling new features.

They also need to be "zero-downtime" patches (i.e. not rebooting the entire machine just because I updated Word with a security update). We also need proper rollback that works - i.e. with the recent Crowdstrike nonsense, why oh why couldn't Windows detect that it was in a bluescreen/reboot loop and revert back to BEFORE THE LAST CHANGE THAT MADE THAT HAPPEN? It's supposed to be able to do that and it doesn't (yeah, yeah, "3rd party", etc. etc... well that 3rd party has an in-kernel device driver... and that's the OS supposed to be managing that!).

We have all this. It exists. Other OS can do it. We used to be able to do it on older OS and different OS. We can still do it now. We can definitely arrange for it to happen in the future.

But you know who needs to pull their finger out? OS providers, especially Microsoft.

Biggest security gap -- an open mouth.