Search

Vulnerability fatigue – why you need to get on top of patch management

Vulnerability fatigue – why you need to get on top of patch management

More and more vulnerabilities are being discovered every day, leaving in-house teams struggling to provide corrective patches quickly. Hackers are taking advantage of this lead time to analyse information systems, find vulnerabilities and launch successful attacks.

Last year alone, 22,000 new vulnerabilities were published. At the same time, 80% of attacks are being carried out on known vulnerabilities, which indicates that enterprises are generally slow to patch. Approximately 25% of new vulnerabilities are patched in a month. Move along eight months, and only 75% of new vulnerabilities are normally patched. This means some vulnerabilities are never patched at all.

The rise of patching fatigue

Patch management has a crucial role to play in minimizing security risks for enterprise information systems. Managing patching, however, can be overwhelming with new applications being added at a significant rate, increasing the complexity of the IT environment. The arrival of the cloud platform has exacerbated this. At the same time, many enterprises don’t have enough skilled people on their IT teams to stay on top of patch management. Poor security hygiene when it comes to patching means that vulnerabilities will stick around, providing an additional attack vector for cybercriminals.

At the same time we are all using more and more technologies. To reach a website, for example, you may need to use ten technologies, such as connectivity, a browser, software to connect to the ISP and so forth, to get to your chosen destination. Vulnerabilities can appear in different parts of an enterprise’s information system, which is why it is increasingly difficult for IT teams to track vulnerabilities from every vendor.

IT teams are also being engulfed by the amount of information flowing in on vulnerabilities from forums, newsletters and so forth. They may get basic vulnerability alerts from vendors, but from the many information sources flooding in, it is almost impossible for them to sift out the knowledge they need.

The possible outcome is a frightening one. If patches aren’t done straightaway, they are often forgotten. This means sensitive information can be exposed to cybercriminals who will siphon it off and sell it on the dark web – without the enterprise even knowing they have suffered a breach.

Partner to get patching back on track

The sheer volume of security patches consumes a huge amount of an IT team’s time. Partnering with a vulnerability expert can dramatically reduce the burden and stress of vulnerability management on internal resources. For this reason, Orange Cyberdefense has set up an extensive vulnerability intelligence service portfolio, allowing enterprises to choose the specific services they require.

By delegating vulnerability monitoring to Orange Cyberdefense, recommendations generated can help enterprises to prioritize remediation actions and improve reactivity. Flaws can be detected precisely in systems using our automatic scanning feature, searching for vulnerabilities in networks, systems and applications. Our services can also test information systems for weaknesses using a simulated attack and check for flaws in applications before they are released.

 

The effective cycle of vulnerability management

Bringing these four solutions together simplifies understanding of our portfolio and also offers an effective cycle for vulnerability management.

Firstly, it is important that the customer anticipates threats and is proactively informed as soon as a newly discovered vulnerability impacts the business. Via the bulletin received with the Vulnerability Intelligence Watch solution, customers can prioritize and then apply the appropriate corrections. It is important to check that the vulnerabilities are no longer there by scanning the network with Vulnerability Intelligence Detect or checking the source code of an application with Vulnerability Intelligence Check Code. As a deeper level of control, we offer Vulnerability Intelligence Ethical Hacking, using vulnerabilities (technological or human) to reach sensitive data and show customers all the “open doors” that need to be closed to protect their business activities.

Don’t sit and wait for an attack

The likelihood of your enterprise being attacked is rising every day. There has been a 13% increase every year since 2014 on new vulnerabilities being discovered – and this isn’t going to slow down any time soon. It is therefore critical that you have robust vulnerability management in place to ensure the proper preventative measures are taken against attack.

IT infrastructures are now a critical part of business. If you can’t look after their health yourself, it makes sense to partner to make sure vulnerabilities don’t slip through the net – at the same time freeing up IT teams to focus on business projects that boost the bottom line.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT