WIXLIB

Vulnerability ManagementAwareness is critical when dealing with vulnerabilities and it doesn’t matter how an organization gainsawareness: through online information, through vulnerability scanning, or thanks to internal teams.Understanding which systems are vulnerable is always the first step towards protecting those systemsbecause it is only possible to protect against danger when you’re aware of that danger.75.00%64.13%60.87%39.13%19.57%3%Information online aboutthe software versionsAutomated vulnerability scansManual vulnerability scansDedicated Security team (Blueand Red Operations team)The hacker leaves anote in your systemOtherVULNERABILITY AWARENESSFor our question on vulnerability awareness respondents were allowed to select multipleoptions. We found it particularly interesting that nearly 20% of respondents found out abouta vulnerability due to a note from a hacker on their system – which is a clear and obviousindicator of a successful breach.It is notable that online research is the most common source for vulnerability information asreported by our respondents. Given the growth in CVEs, the manual nature of onlineresearch may not remain an effective way to manage vulnerabilities in the long run.Vulnerability scans performed on an organization’s systems still remain an important way togain awareness about security flaws – whether these are performed manually or automatically.Using a dedicated security team to assess vulnerabilities is less widespread and possiblypoints to a lack of resources rather than a genuine lack of interest in appointing a dedicatedteam.State of Enterprise Vulnerability Detection and Patch Management9

Responding to a vulnerabilityIf a vulnerability is detected itmust be dealt with and, ifpossible, resolved. This is howrespondents said that theyhandled vulnerabilities.HOW DO YOU COPE WITHDETECTED VULNERABILITIES?73.91%Emergency maintenance windows isarguably the most disruptivemechanism, but it was nonethelessthe preferred choice when dealingwith a known vulnerability. It cantherefore be suggested that, for over70% of respondents, the risksassociated with a potential securitybreach outweighs operational andavailability considerations.The only non-disruptive mitigationmethod used, live patching, ischosen by nearly half ofrespondents. Interestingly, manyrespondents replied that they copewith vulnerabilities simply by waitingfor the next periodic maintenancewindow. This, in turn, implies thattheir systems will remain vulnerableduring the waiting period.State of Enterprise Vulnerability Detection and Patch Management48.91%46.74%44.57%1.09%Emergency maintenancewindowsWait for the next periodicmaintenance windowUse automatic patching toolOtherUse live patching tool10

AutomationThe response to the discovery of avulnerability can be actioned eithermanually or automatically. Thereare several steps involved in aresponse and it is interesting tolook at the steps that are mostcommonly automated – and thesteps that are least likely to beautomated.AUTOMATED STEPS76.19%61.90%30.95%21.43%Automating the patching processis clearly widespread whilereporting is also commonlyautomated. However, assigningtasks and prioritizing patches aresteps that are much less likely tobe sationNoneSurprisingly, despite the high numbers of CVEs that are filed, and the overall growth incybersecurity threats, a number of respondents reported that their organizations do notautomate any of the steps involved in the vulnerability management process.It is common for organizations to combine automated tasks – for example, combiningpatching and reporting. We asked respondents to report whether they automated multipleprocesses:NUMBER OF COMPANIES PERAUTOMATED TASKSPatching2412Patching, Reporting7ReportingPrioritisation, Assignment,Reporting, Patching6Assignment, Reporting,Prioritisation3Patching, Assignment, Reporting3Patching, Prioritisation3Reporting, Prioritisation2Assignment, Reporting2Prioritisation, Patching,Assignment1State of Enterprise Vulnerability Detection and Patch ManagementMost companies are onlyautomating the patching processand reporting is the mostcommonly automated function –with many companies automatingboth patching and reporting.Compliance law is increasinglydemanding evidence of patching,so it stands to reason that we willsee more and more reportingautomation.In our survey results we also found thatsmaller IT teams – less than twentyteam members – reported a higherreliance on reporting automation. Infact, small team’s reliance on reportingautomation outweighed the reliance onautomation of larger teams by a factorof 6 to 1.Reporting is the only automated taskwhere there was a significant differencein the behavior of small teams vs. largeteams.11

Maintenance and PatchdeploymentDetecting vulnerabilities in systems requires teamsto perform monitoring and testing tasks thatprobe their systems. The amount of time spentdoing so varies dramatically from one industry toanother.HOURS PERFORMING MONITORING TASKSAND LOOKING FOR VULNERABILITIES PERWEEKTechnology25Banking & Financial Services8Data Infrastructure, Telecom7Retail / Ecommerce3Professional Services (Law,Consulting, etc.)3Healthcare2Industrials (Manufacturing,Construction, etc.)2Education2Transport, Logistics2Agriculture, Forestry, Mining2Other2Media, Creative Industries2Public or Social Services1Compared to other industries, organizations inthe technology sector clearly spent much moretime actively searching for vulnerabilities –perhaps because tech firms are more familiarwith the risks.State of Enterprise Vulnerability Detection and Patch Management12

Preparing a patch in-houseWhen deploying patches for a vulnerability onekey part of the process is obtaining the rightpatch for the affected system or application. Itcan happen that an official or vendor patch hasnot been released, and that the only availableinformation covers the exploit itself with noadvice on how to mitigate.HAVE YOU EVER PREPARED APATCH IN-HOUSE?25.55%28.9%About half of our respondents have nevercreated or tried to create a patch for avulnerability in house, which indicates thatthese respondents are fully reliant on theavailability of vendor patches – or some formof public disclosure that points to remediationmeasure or remedial code. Another significantproportion, over 25%, suggested that theyattempted to create a patch – but didn’tachieve the desired outcome.YesNoI haveattempted it45.55%There are several obvious barriers todeveloping a patch. Doing so requires anextensive understanding of the OS orapplication that needs to be patched as wellas knowledge of how the patch may affectother subsystems. Extensive testing is alsocritical to validate that the patch is effective.State of Enterprise Vulnerability Detection and Patch Management13

Downtime to deploy patchesAfter a patch is obtained the patch must be deployed to the affected systems and that oftenrequires a reboot which results in downtime or service disruption. We asked our respondents tostate how many hours of downtime their workloads typically experience every week in response topatching.Transport, Logistics15Media, Creative Industries14Retail / Ecommerce8Technology4.5Industrials (Manufacturing, Construction,etc.)3.5Public or Social Services2Banking & Financial Services1.56Agriculture, Forestry, Mining1.5EducationTransport, LogisticsData Infrastructure, Telecom1.5HealthcareProfessional Services (Law, Consulting,etc.)1.1510.83AVERAGE HOURS OF DOWNTIME FORPATCHING PER WEEK, PER INDUSTRYMost industries reported less than two hours per week lost to patchingprocedures. However, two industries reported outsize numbers – transport andlogistics and media and creative industries both reported considerably higherhours lost due to patching.State of Enterprise Vulnerability Detection and Patch Management14

Staff time consumed by patching tasksPatching can be divided into subtasks. Teams must coordinate downtime with stakeholders,processes need to be documented, and some patches need to be installed outside themaintenance window.The overall time spent on patching, as broken down by industry, does not tell us that muchbecause different industries will have different software stacks and varying regulatoryrequirements. The expectations of end users around availability also vary, so some organizationsmay not be able to arrange for downtime as easily as others.Agriculture, Forestry, Mining1.54.52.04.52.52.5Banking & Financial Services1.612.34.32.52.5Data Infrastructure, are1.0Industrials (Manufacturing,Construction, etc.)3.53.07.03.57.01.013.02.048.0Media, Creative Industries14.0Professional Services (Law,Consulting, etc.)0.88.626.06.010.03.76.011.038.3Public or Social Services2.08.02.01.01.0Retail / 27.5Transport, Documentation60%6.03.52.080%100%Coordination With StakeholdersHowever, it is interesting to note that, for each industry, the proportion of timedevoted to each individual subtask varies dramatically.State of Enterprise Vulnerability Detection and Patch Management15

When patching is delayedIn an ideal world, patching will occur immediately after a vulnerability is disclosed, but there areseveral factors that affect this process. In the graph below, we allowed respondents to choosemultiple options – the numbers on the graph represent the number of times an option was selected.WHY DO YOU THINK PATCH INSTALLATION ISDELAYED?Not able to take critical applications & systems offline so they canbe patched quickly. It is difficult to prioritize what needs to bepatched4631No common view of applications and assets across security and ITteams30Human error29Not enough resources to keep up with the volume of patches27Technologies such as automation reduce the risk of not patchingquickly enoughWe can’t easily track whether vulnerabilities are being patched in atimely manner25Emails & spreadsheets are used to manage the process, so thingsslip between the cracks2519My organization has no tolerance for the downtime required forpatching15We don’t have the ability to hold IT or other departmentsaccountable for patching9Silo and turf issues4We do not think an attacker will exploit our vulnerabilitiesEOL systems can’t be patched1The results show that in many organizations there is no mechanism in place that ensures thatpatches can be deployed to business-critical systems in a timely manner.It may be that high-availability architectures are not resilient enough to cope with patching, andthat organizations are not using live patching mechanisms to deploy patches withoutdisruption. Either way, the result is that unpatched systems become high-value targets forattackers.State of Enterprise Vulnerability Detection and Patch Management16

ImprovementsFinally, we wanted to gauge which steps would help to improve the outcomes for technologyteams that are responsible for vulnerability and patch management.WHAT STEPS WOULD YOU TAKE TO IMPROVE YOURORGANIZATION’S PATCH MANAGEMENT59Use a live patching toolIncrease automation54Increase IT security staff38Define your process betterOtherNo new steps would be taken3332We received three responses under “other”, including “Fix lifecycle issues by not running EOLsystems”, “Enforce culpability for patch delayed for internal company politics” and “Have seniormanagement (outside of IT) hold business units responsible for patching”. The first answer is selfexplanatory, but the second and third answers are more interesting and may point to problemsaround silos and whose “turf” it is when it comes to patching.One pain point that is commonly mentioned is a lack of resources to deal with the mountingworkload generated by the growing number of vulnerabilities. We asked our respondentswhether they consider that their staff count was sufficient to meet the workload and if theyplanned to increase staff numbers within the next year.More than half,54.3%, ofrespondentsindicated that theirstaff is insufficient tomeet their workload– half of whichindicated that theyplan on hiringadditional staffmembers that arededicated topatching tasks.IS YOUR STAFF SUFFICIENT AND WILL YOU HIRE MORESTAFF DEDICATED TO PATCHING IN THE NEXT 12MONTHS?27.2%45.7%The organization hassufficient staff to patch ina timely mannerThe organization will hirestaff dedicated topatching in the next 12months27.2%State of Enterprise Vulnerability Detection and Patch ManagementComplete reporting17

ConclusionOne of the challenging aspects of mounting an effective cybersecurity response is the inherenttradeoffs. Consider, for example, the tradeoff between the availability of resources and the cost ofthose resources. Likewise, there is the still commonplace tradeoff between availability of services,and fast and timely patching.At times it can appear as if these tradeoffs are irreconcilable, but there are tools that can bridgethe gap – including automation. Indeed, automation is a must-have tool given the automatednature of the cyberthreat. Nonetheless, in our survey, we found that automation – amongst othertools – is unevenly embraced.It is true, of course, that every industry faces unique challenges and unique tradeoffs. However,irrespective of what these tradeoffs are, every organization must work to adapt to a growingthreat. Live patching and other tools will help, and many companies have already cottoned on tothe benefits of standardization.The cybersecurity threat is not going to recede. Vulnerability and patch management effortsmust be run intelligently, and must be adequately resourced to meet the growing securitychallenge.State of Enterprise Vulnerability Detection and Patch Management18

Thanks for reading the report!While we’ve received a meaningful number of responses, the survey is still running,and we are eager to increase the amount of answers to build a more complete picture ofvulnerability and patch management in the enterprise environment.Have your say!Participate in the survey and get a chance to win one of tenCertified Kubernetes Administrator Certification from The Linux Foundation*To avoid spam submissions, only users with corporate email addresses can participate in the raffle.State of Enterprise Vulnerability Detection and Patch Management19

PATCH MANAGEMENT TOOLS, VULNERABILITY SCANNERS, EPORTAL SECURE PATCH SERVER AND 24/7 SUPPORT. For maximum security and compliance, enterprises need to rapidly patch vulnerabilities, keep production Linux systems updated with the latest fixes, and have a trusted technology partner for Linux support & maintenance always within reach.