The survey of nearly 2,000 IT security professionals by vulnerability management vendor eEye Digital Security found the majority of organizations have vulnerability management processes in place to tackle Microsoft Windows monthly patch releases, but many firms are still struggling to attend to zero-day vulnerabilities and are lacking the staff to effectively test and deploy updates to other systems and applications.I don't know any company in the world that doesn't have patching issues.
CISOVisiting Nurse Services of New York
According to eEye's "2011 Vulnerability and Management Trends Report," 85% of those surveyed indicated that their IT staff is overburdened with regulatory compliance issues. About half of those surveyed said regulatory compliance initiatives take up to 50% of their work weeks.
"It's a challenge from a security perspective because there are other important security initiatives and IT is generally doing other IT projects that make the business more efficient and effective," said Marc Maiffret, chief technology officer at Irvine, Calif.-based eEye Digital Security. "There's an indication that some organizations don't have enough personnel and resources to keep up with remediating vulnerabilities."
The survey suggests that the lack of personnel and resources is having an impact on managing patch deployments. More than half (60%) indicated that as many as a quarter of the applications deployed in their organizations have unpatched vulnerabilities. With a majority of organizations having more than 100 applications deployed, attackers have a lot of ways they can exploit flaws and gain access to the network, Maiffret said.
Larry Whiteside, CISO at the Visiting Nurse Services of New York, said the health care firm has developed a way to prioritize patches and test them to ensure they don't break any critical systems. Whiteside said his firm assigns a risk score based on the vulnerability and sensitivity of the system needing a software update.
"I don't know any company in the world that doesn't have patching issues," Whiteside said. "The time to prioritize and test can make staying on top of the patching cycle very difficult."
In addition, the rising use of smartphones and other mobile devices is straining the ability of IT teams to ensure systems are up to date. The survey found that 31% of professionals indicated they don't have enough personnel to handle increased patching demands. In addition, keeping track of browser component vulnerabilities, Flash updates, and other third-party client software updates is an issue at many enterprises.
"There's definitely a lack of visibility, especially as it relates to non-Microsoft software," Maiffret said.
Depending on the size of the business, many organizations use Windows Update to automatically deploy patches. Midsized companies and larger firms typically use WSUS from Microsoft or a third-party vulnerability management vendor to help alleviate patch management issues. The piecemeal approach creates issues, Maiffret said. Generally, centralized vulnerability management helps alleviate some of the pain. Organizations can address the issue by tying together patch management with the ability to ensure proper configuration and the ability to identify zero-day vulnerabilities.
Tom Vander Zwagg, an IT support manager at Santa Clara, Calif.-based biotechnology firm, Affymetrix Inc,. said his firm uses Symantec's Altiris Client Management Suite for patch management. Patch management is a difficult process, but vulnerability management systems are doing a better job helping manage it, he said.
"We have a team that evaluates Microsoft bulletins and identifies our risks to deploy them on a monthly basis," Vander Zwagg said. "Identifying and addressing vulnerabilities in other applications wrapped in one product would be fabulous; I think [security vendors] are getting there."