icetray - Fotolia

Manage Learn to apply best practices and optimize your operations.

Patching and updating applications: How much time should be spent?

A survey found that half of its respondents perform application updates daily. Expert Michael Cobb explains how to allocate appropriate time on different security controls.

A report from security vendor Prevoty Inc. surveyed more than 1,000 IT and security professionals and revealed...

that 52% of respondents perform application updates at least once a day, if not multiple times a day. Is it realistic for security teams to spend that much time updating applications?

Prevoty's report highlights the difference in day-to-day priorities between IT and security professionals. IT pros need to keep mission-critical systems running and their users happy, while security pros are focused on ensuring that network resources are protected and secure. Known vulnerabilities are a leading cause of data breaches, so it's understandable why patching and updating applications come up so high on a security pro's to-do list. In an ideal world, enterprise budgets would provide enough manpower to keep application software constantly up to date, but, in reality, most IT and security teams are overstretched and need to prioritize tasks. Dedicating too much time and resources to one security control can mean others are neglected and become less effective over time.

The cybercrime industry is built around the efficient exploitation of vulnerabilities and, according to Verizon's 2016 "Data Breach Report," over 40% of breaches in 2015 came through web applications. Performing basic security hygiene tasks such as proper application configuration and patch management prevents automated attacks from compromising endpoints, and it closes down the gaps that attackers are only too happy to walk through.

Updating applications only once every one to six months -- like half of the IT pros surveyed by Prevoty -- is clearly not frequent enough, but multiple times a day has to be a drain on resources possibly better spent elsewhere. The survey revealed that while both groups spend significant amounts of time tuning existing application security systems, security professionals spend more than 80% of their time on this task, leaving little time for other equally important security tasks.

Patching and updating applications and devices will always be key security controls, but given the variety of devices, applications and users that an enterprise has to support, they have to be just the beginning. A security information and event management system can receive threat intelligence feeds and automatically adjust filters and rules accordingly, reducing the need for manual intervention. Network access control tools can keep endpoints compliant and control their access to resources, while data loss prevention technologies can help protect data on endpoints. Security teams can't just concentrate on preventive technologies like patching or updating applications -- they need a strategy that can protect key resources and data even when perimeter defenses have been breached and the network compromised.

To help IT and security pros understand how effective different security technologies, practices, strategies and initiatives are, outcomes need to be measured, such as the decline in breaches and network downtime. Without sound metrics, it's too easy for personal bias and commonly held misconceptions to determine how people's time and expertise should be allocated.

Next Steps

Learn more about the possibility of crowdsourcing vulnerability patching

Find out how mandatory access control and application sandboxing differ

Read about automated enterprise patch management basics

This was last published in October 2016

Dig Deeper on Microsoft Patch Tuesday and patch management