Network Security, Vulnerability Management

IT depts. suffering from ‘patch fatigue,’ study says


Enterprises benefit from having patch management plans to help ensure their IT departments don't suffer from patch fatigue or become overburdened with patches which could lead to poor cybersecurity hygiene.

In a study of 480 IT professionals, researchers at Tripwire found that half of the respondents struggled to keep up with enterprise patching.

Half also felt that client-side patches are released at an unmanageable rate and 67 percent reported having difficulty understanding which patch needs to be applied to which system.

“Managing patches is an area where there is no ending in sight,” Tripwire Security Research and Software Development Engineer Lane Thames told SCMagazine via emailed comments.

“This can be overwhelming for who those are responsible for correct testing and deployment of patches in IT environments, especially as new systems are added to the environments because of business needs,” he said

Thames said the sheer volume of patches that respondents deal with can seem unmanageable.

More than 6,000 new Common Vulnerabilities and Exposures (CVE) were assigned in 2015, according to the study.

“If only one-tenth of those vulnerabilities affected devices in your area of responsibility, you would have been responsible for resolving 630 vulnerabilities annually or 2.5 vulnerabilities each business day,” researchers said in the study.

Researchers at Tripwire said it is also an inconvenience when companies release unsuspected updates which could potentially shut down enterprise systems

Thames said a deeper collaboration between developers and their customers' IT departments could help to shed more light on the current problems faced by IT personnel.

Currently, very few systems use the same patch installation methodology and IT organizations are responsible for so much technology it is impossible for individuals to be subject matter experts on each type of technology, he added.

“As a result, most individuals working in IT who are responsible for patch management will face difficulties understanding how to patch various systems,” Thames said.

To help combat this, enterprises should invest in both patch vulnerability and patch management software solutions to help their IT departments get a picture of the security posture, including current patch levels and known risks, researchers said in the study.

“Without these tools, individuals must be aware of every asset and every application installed on every asset,” researchers said.

Researchers recommend enterprises set up schedules, assign responsibilities, plan for unexpected issues, and allocate the appropriate amount of staff and time to deal with patches to help combat patch fatigue.  

The first step in resolving patch fatigue is identifying it and suggested that IT Teams look for potential points of failure and stress, the study said.

“Our study indicates that IT organizations can barely maintain their existing technologies,” Thames said.

Thames said this implies that there is room for improvement and will require holistic, cross-disciplinary approaches involving both people and technology to solve future issues.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.