Enterprises are getting pummeled with security-related software patches. It seems every day there is a new bug discovered that sends teams scrambling to patch. It’s a wonder they manage to keep up with the continuous vulnerability delivery pipeline that the software industry inflicts on its users.

According to the CVE (Common Vulnerabilities Exposures) database, there were 14,709 vulnerabilities published in 2017. That’s 40 new software vulnerabilities every calendar day. How do enterprises keep up? Many, in fact, don’t. However, some do, and they strive to move relatively quickly when it comes to patch distribution.

Security vendor Tripwire, along with Dimensional Research, set out to get some answers on how quickly organizations patch. The number of enterprises surveyed was small, totaling 406 respondents. And the size of the enterprises surveyed could also be relatively small, as it included responses from organizations with as little as 100 employees. There also wasn’t any mention in the release how many endpoints or software applications these enterprises manage. The survey isn’t as informative as it could be because we don’t see how long it’s taking those enterprises with lots of servers and endpoints and devices to manage.

Still, the results were interesting. Most (56 percent) of those who answered the survey said that they can discover new hardware and software added to the network within minutes (23 percent) or hours (33 percent).

When it comes to detecting vulnerabilities, only 17 percent reported that it took 31 days or more to remediate a vulnerability. Interestingly, 6 percent of respondents said they don’t use vulnerability assessment tools in their environment. That’s reasonable in a very small environment, so we’ll hope that the majority of that 6 percent actually have small environments. The rest of the respondents, 77 percent, patch vulnerabilities within 30 days. In fact, 37 percent of those respondents said they actually get fixes in place within 15 days of a vulnerability discovery.

According to the news release, only 17 percent of respondents use automated asset discovery tools so that they can spot networked systems and, one would hope, prioritize patch criticality based on business value.

Business value — that brings up another interesting and important point. Surveys that look at organizations’ general speed to patch are fun, and they can be an indicator of trends underway — but they don’t provide us much insight into how well organizations are actually reducing their risk. The speed an organization can patch, and how fast and accurately they can recognize new networked systems are certainly indicators of a potentially healthy security program. But it doesn’t tell us the full picture.

Other indicators of a mature vulnerability management program would be how thoroughly and accurately their networked assets are categorized and prioritized by business value, and how software vulnerabilities are mitigated in other ways such as application firewalls, network, and access segmentation. Maturity would also be looked at based on how patching is prioritized. Not all business systems are of the same value, and not all vulnerabilities are high risk — so we’d hope that, rather than simply trying to patch all vulnerabilities in 15 or 30 days, it’s those high-risk vulnerabilities that affect high-value assets that are patched first.

RELATED LINKS

Meltdown and Spectre bring a world of hurt to the cloud

Enterprise security lessons for Meltdown and Spectre defence

Vulnerability assessment vs. penetration testing