Detecting vulnerabilities and managing associated patches is a challenge, even in a small-scale Linux environment. Turn things up and the challenge becomes almost overwhelming. There are approaches that help, but these approaches are applied unevenly.
In our survey, State of Enterprise Vulnerability Detection and Patch Management, we set out to investigate how large organizations deal with the dual and related security issues of vulnerability detection and patch management.
The results provided interesting insights into the tools organizations depend on to effectively manage vulnerability and patch management at scale, how these tools are used, and the restrictions organizations face in addressing vulnerabilities. threat. Download the copy of the report here.
Managing vulnerabilities is a corporate responsibility
Before we dive into the results of our investigation, let’s take a quick look at why vulnerability management operations are so important in large organizations.
Vulnerabilities are widespread and constitute a major headache in cybersecurity. In fact, vulnerabilities are such a critical issue that laws and regulations are in place to ensure that covered organizations perform vulnerability management tasks properly, as failure to follow this rule can harm a company’s customers. .
Each industry has different rules that apply to it – with organizations that process personal data such as health records and financial services companies operating under the strictest rules. This impacts day-to-day vulnerability management operations – some organizations need to act much faster and more thoroughly than others.
This is one of the points we explored in the survey, trying to understand how different industry compliance requirements affect vulnerability operations in the field.
In early 2021, we launched a investigation with the intention of studying three key factors in vulnerability and patch management operations. We looked at patch deployment practices, how maintenance windows are handled, and tried to get a sense of the overall level of security awareness of the organizations that responded.
The survey was publicly announced to IT professionals around the world and it keep running, although we have published the first results.
An interesting observation that we encountered early on is that vulnerability management and patches are handled similarly around the world. A respondent’s geographic location had no observable correlation with the response we received – we could not find a significant relationship. That said, the industry in which an organization operates has had an impact.
A first glimpse of the survey results
So what did we find? Several interesting facts emerged from our investigation. First, automated fixes are widely used – with 76% of respondents saying they implement automated fixes in their server fleets.
Live patches were also commonly used, with almost half of respondents relying on live patches to fix vulnerabilities without the downtime typically associated with patches. This is not surprising given the volume of vulnerabilities discovered and fixed each week – there are simply too many fixes to apply to do it manually.
That said, we have found it interesting that manual online vulnerability scanning is the most commonly used tool in the vulnerability management arsenal. This suggests that while automation has its place, some organizations have not fully embraced automation – and automation may not cover all aspects of vulnerability management.
We made a notable observation regarding server fleets, as 73% of our respondents reported relying on single operating system server fleets. This suggested to us that organizations appreciate the ease of maintenance of using a single Linux distribution for all server roles – rather than using a specialized Linux distribution for each server role. CentOS or another CentOS fork was the most commonly used operating system.
Different industries exhibited different practices
The results highlighted how vulnerability and patch management practices vary from industry to industry. The tech industry, for example, spent more than three times as many hours per week monitoring vulnerabilities than the banking and financial services industry. This may be because tech companies are more in touch with threats – or more frequently targeted.
In another interesting observation, the tolerance – or perhaps the need – for downtime varied considerably from industry to industry. Across all areas of transportation and logistics, our respondents suggested that their organizations tolerate an average of 15 hours per week of downtime in order to accommodate patches. But healthcare organizations reported an average of just one hour per week of downtime.
There were also significant differences in the way organizations in different industries spent man hours managing vulnerabilities and patches. For example, respondents working in public and social services, as well as banking and financial services, reported spending a significant portion of working hours on surveillance, but industrial companies spend comparatively little time on surveillance. vulnerabilities.
Resources are a big problem
Staff hours are a finite resource and organizations must choose carefully how they allocate available resources. When we looked at what our respondents said overall, two interesting facts emerged. First, documenting the patch application process takes relatively little time compared to other patch-related tasks.
In contrast, our respondents suggested that setting up a maintenance window to apply fixes takes the longest – perhaps due to the sheer number of stakeholders involved and the inevitable disappointment that maintenance windows cause. disturbances.
It has also become evident that there are resource challenges. 38% of respondents said they wanted to increase IT security staff to improve patch management in their organization, while 29% of respondents said patch installation was delayed due to a lack of of resources.
We are therefore not surprised that more than half of those surveyed – 54.5% – said that the staff resources at their disposal are not sufficient to cope with the remedial workload, while 27.2 % indicated that they intended to hire more staff to accommodate patch management tasks.
Powerful tools can increase resources
Human resources underpin the remediation process, but having access to the right tools and functionality is just as important. Our investigation revealed the need for a few key features that make vulnerability management and patches more efficient than they would otherwise be.
We asked our respondents what features they would like to see in a patch management tool. Quick responses to CVE news, live fixes, and automated full reporting were features that were requested to an almost equal extent.
The question was left open and some respondents requested features that we did not list. Logging was a suggestion, indicating that many of the vulnerability management tools used do not provide sufficient transparency into how the tool works – and how it affects systems.
Gradual deployments are another requested feature, which emphasizes the need to manage patches in a way that avoids catastrophic disruption by allowing patch deployment in a more controlled manner.
What does this mean for Linux users?
Linux vulnerabilities continue to pour in and related exploits are becoming more common, in part because malicious actors are using automated tools to find vulnerabilities.
Even the best-resourced security team will be stuck trying to tackle threat automation, the only viable path being security automation. The majority of our respondents were already using patch automation, and it’s clear that using vulnerability management tools with the right set of features can help teams make the most of the hours they have.
Your chance to win a Kubernetes courses
Earlier in this article, I suggested that although we have received a significant number of responses, the investigation is still ongoing and we are very much looking forward to building on the number of responses we have received so that we can build a more complete picture of vulnerability and patch management in the enterprise environment.
To encourage more people to take our survey, we are awarding ten free Linux Foundation Certified Kubernetes Administrator (CKA) certifications to survey participants. You can have a chance to win by completing the survey on this link. The results of the survey are informative and inspire opinion: your contribution will help shape the future of vulnerability and patch management, promoting best practices across all industries.
Interested in the full results? You can download the State of Enterprise Vulnerability Detection and Patch Management report here.