Security Patching: How Fast is Fast Enough?

New data shows 43% of IT teams are taking more than a week to roll out critical security patches.

October 3, 2019 • Published by

October is National Cyber Security Awareness Month (#NCSAM), and one of the topics I like to bring up is security patching. Just about every IT leader will tell you that timely security patching is a priority for their organization. So why did our latest ControlScan research find that 43% of IT teams are taking more than a week to implement even the most critical of security patches?

Security patching should be a priorityThe software and application security holes failing to
patch creates open the door to attackers entering and wreaking havoc on your business IT network. Our SOC analysts see it just about every day, but some recent examples include unpatched web servers leading to attempts to install cryptocurrency mining software, unpatched remote desktop/VDI systems exposing direct network access, and vulnerable back office computers falling victim to malware due to unpatched web browsers.

Time is risk.

The clock begins ticking as soon as a security patch is released. That’s because the forums and notifications releasing these patches aren’t just monitored by IT pros, they’re also watched by hackers and cyber criminals. And, in some cases, the vulnerability identified by the patch is already well known and being actively exploited “in the wild.”

There is a lot of malware out there today and most of it takes advantage of unpatched vulnerabilities. In fact, a recent Ponemon study found that nearly 60% of breached organizations were operating with a known vulnerability they hadn’t gotten around to security patching.

Attackers go to work the moment a patch release is announced, utilizing exploit kits to take advantage of the now-public vulnerabilities. Therefore, the longer you wait to roll out a patch to your organization, the greater the risk that you will be compromised.

Time is money.

The ControlScan 2019 Managed Detection and Response Report also notes that on average, IT teams are spending only 40 hours a month on security log and endpoint security monitoring. There are 280 hours alone in a week for 24x7 monitoring coverage, so that average of 1.3 hours per day just isn’t going to cut it.

When it’s combined with the missing security monitoring component, a lack of priority in implementing security patches can be potentially disastrous. Let’s say an attacker exploits your unpatched vulnerability within the first week of a patch release, but it takes you a month to implement the patch. Without anyone to actively detect and respond to threats in your network, that attacker will continue to operate unnoticed for an indefinite period of time.

When the intruder finally is discovered, your organization could be looking at significant financial repercussions as it performs analysis on the breach and the impact to the organization.

Patch early, monitor always.

So how fast is fast enough? Patching ASAP, especially when it’s a critical patch, is the way to go. Unless there is an extenuating circumstance, all security patches should be implemented within a week of their release. I’m a firm believer that those who wait months to apply patches are the reason we have botnets!

If it isn’t already taking place, round-the-clock monitoring should also be one of your top security operations goals. Evidence of malicious activity can be found in log records and machine data generated by your networked systems, security devices and applications—but only if someone with the appropriate tools, expertise and bandwidth is actively looking for it.

Learn more from our recent research and compare your operations against that of your peers. Download the ControlScan 2019 Managed Detection and Response Report today!