The latest research around patch management is a good reminder for security teams to move patch diligence up the stack to applications and to resist disabling signature checking for performance in UTMs.
Qualys Inc. presented an update at the recent Black Hat USA 2009 briefings to their Laws of Vulnerabilities research, a timely statistical review in light of the increase in Microsoft Internet Explorer, Microsoft Office, Adobe Reader, and Apple QuickTime application level attacks. The study, first conducted in 2004, is based on years of accumulated vulnerability scanning data of the Qualys installed base.
The surprise in the Laws of Vulnerabilities 2.0 research is that security performance in basic vulnerability management has not significantly improved over the last 5 years, while malware developers have improved the cycle times of exploiting vulnerabilities. For example, the time to patch a vulnerability in 50% of endpoint and server systems remains at approximately 30 days, with a dismal average of more than 50 days in manufacturing companies. This cannot be blamed on oblivious-to-security consumers as vulnerability scanning is driven by enterprise security teams.
IT needs to pay greater attention to applications that have been downloaded to desktops and laptops. These applications are becoming the primary point of attack for malware engineers because vulnerabilities are easier to exploit than say vulnerabilities on a server tucked away in a data center. In many cases, IT does not even know what applications users install on endpoints or if those applications are registered for automatic patch updates.
Application level attacks are taking advantage of the inattention given by security that leaves vulnerabilities exposed for more than a month. Application vulnerability patching is a security core competency and is a discipline that IT can control. IT can start by measuring vulnerability half-life for applications and systems software.
Users that have installed unauthorized software, or have taken the initiative to self-install applications needed to do their jobs better, probably have not signed up for support or security updates. Regular IT audits of software configurations will show the profile of applications across the user community. IT can use this intelligence to organize vulnerability patching, proactively negotiate more favorable license terms and pressure the application vendor to be more responsive with security updates. A regular audit program will quantify the risk to the organization. The bottom line: IT cannot help secure what they do not know about.
The persistence principle documented by Qualys shows that vulnerabilities are never eradicated from an organization. If IT assumes that a vulnerability always exists in the network, then network and host security products that operate on a subset of their attack signature base cannot provide adequate protection. In particular, some UTMs may reduce signature scanning to preserve performance. IT may want to examine virtual appliance packages where security performance can be boosted by installing the security software on a faster server without sacrificing granular attack detection.
Qualys does not have data on the world of consumer PCs, but it is safe to estimate that the application security situation is far more dire. Users may not keep up to date with security updates, and bootlegged software will almost certainly not be registered and would be ineligible for support. The Laws of Vulnerability is an exhaustive study that shows we can do better. It is a good reminder while we wait for application vendors to be more aggressive about patching their vulnerabilities.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.