Detecting vulnerabilities and managing the associated patches is a challenge even in a small Linux environment. Scale things up and the challenge becomes almost insurmountable. There are approaches that can help, but these approaches are applied unevenly.
In our State of Enterprise Vulnerability Detection and Patch Management survey, we examined how large companies deal with the dual, interconnected security problems of vulnerability detection and patch management.
The results provided interesting insights into the tools organizations rely on to effectively deal with large-scale vulnerability and patch management, how these tools are used, and the limitations organizations face in combating threat actors. Download the copy of the report here.
Vulnerability management is a corporate responsibility
Before we get into the results of our survey, let’s take a quick look at why running vulnerability management is so important in large organizations.
Vulnerabilities are widespread and are a major cybersecurity headache. In fact, vulnerabilities are such a critical problem that there are laws and regulations in place to ensure that the organizations involved are adequately performing vulnerability management tasks – as doing so can harm a company’s customers.
Different rules apply to every industry – with organizations that handle personal data such as patient records and financial services companies that work according to the strictest rules. This has an impact on the day-to-day operation of vulnerability management – some companies need to act much faster and more thoroughly than others.
This is one of the points we examined in the survey to understand how different industry compliance requirements affect vulnerability operations in the field.
In early 2021, we started a survey with the intention of examining three key factors in the area of vulnerability and patch management. We examined the patch deployment practices, the handling of maintenance windows, and tried to get an overview of the general security awareness of the companies that responded.
The survey has been publicly promoted to IT professionals around the world and continues even though we released the first results.
An interesting observation that we noticed right from the start is that vulnerability management and patching are handled similarly around the world. A respondent’s geographic location had no identifiable connection with the response received – we couldn’t find a meaningful link. However, the industry in which a company operates had an impact.
A first look at the survey results
So what did we find? Some interesting facts emerged from our survey. First, automated patching is widespread – 76% of respondents said they implement automated patching in their server fleets.
Live patching was also widely used, with nearly half of respondents relying on live patching to fix vulnerabilities without the downtime normally associated with patching. This is not surprising given the amount of vulnerabilities discovered and patched each week – there are simply too many patches to be done manually.
We found it interesting, however, that manual online vulnerability research is the most widely used tool in the vulnerability management arsenal. It suggests that while automation has a place, some organizations have not embraced automation fully – and that automation may not cover all aspects of vulnerability management.
We made a remarkable observation regarding server fleets: 73% of our respondents said they rely on server fleets with an operating system. It suggested to us that companies would appreciate the ease of maintenance of using a single Linux distribution for all server roles – rather than using a specialized Linux distribution for each server role. CentOS, or another CentOS fork, was the most commonly used operating system.
Different industries showed different practices
The results highlighted how different vulnerability and patch management practices differed from one industry to another. The technology sector, for example, spent more than three times as many hours a week monitoring for vulnerabilities compared to the banking and financial services sectors. This may be because tech companies are exposed to threats – or attacked – more frequently.
In another interesting observation, the tolerance – or perhaps the need – for downtime varied dramatically from industry to industry. In the transportation and logistics industry, our respondents said that their companies tolerate an average of 15 hours a week of downtime to enable patches. However, health organizations reported an average of just one hour of downtime per week.
There were also significant differences in the way organizations in different sectors spent man hours tackling vulnerability and patch management. For example, respondents working in public and social services, banking and financial services indicated that they spend a significant amount of their time monitoring efforts, while industrial companies spend comparatively little time monitoring vulnerabilities.
Resources are an important issue
Staff hours are a finite resource and organizations must carefully choose how to allocate the available resources. When we looked at what our respondents reported overall, two interesting facts emerged. First, documenting the patching process takes relatively little time compared to other patching-related tasks.
In contrast, our respondents indicated that setting up a maintenance window to apply patches takes the most time – possibly due to the number of actors involved and the inevitable disappointment that maintenance windows cause disruptions.
It also became clear that there are challenges in sourcing resources. 38% of respondents said they would like to add IT security staff to improve their company’s patch management. 29% of respondents said that the patch installation was delayed due to a lack of resources.
So we’re not surprised that more than half of respondents – 54.5% – said they had insufficient human resources to handle the patching workload, while 27.2% said they intend to Hire more staff to address vulnerabilities and patch management tasks.
Powerful tools can increase resources
Human resources support the patching process, but access to the right tools and functions is just as important. Our survey found that some key features are required that will make vulnerability management and patching more efficient than it otherwise would be.
We asked our respondents which features they would like to see in a patch management tool. Fast reactions to new CVEs, live patching and automated comprehensive reporting were almost equally in demand.
The question was left open and some respondents requested features that we did not list. Logging was a suggestion that suggested that many of the vulnerability management tools used did not provide sufficient visibility into how the tool was working – and how it was affecting systems.
Staggered rollouts are another feature requested, indicating the need to manage patching in a way that avoids catastrophic disruptions by allowing patches to be rolled out in a more controlled manner.
What does this mean for Linux users?
Linux vulnerabilities are becoming more common, and the associated exploits are becoming more common – in part because threat actors use automated tools to search for vulnerabilities.
Even the best-equipped security team will get stuck in the fight against threat automation, with security automation being the only viable option. The majority of our respondents have used patch automation before, and it is clear that using vulnerability management tools with the right features can help teams get more out of the hours they have.
Your chance of winning a Kubernetes course
At the beginning of this article, I indicated that although we received a meaningful number of responses, the survey is still ongoing, and we are very excited to build on the number of responses received to get a more complete picture of the vulnerability and patch -Management in the corporate environment.
To encourage more people to take our survey, we are awarding ten free Linux Foundation Certified Kubernetes Administrator (CKA) certifications to survey participants. You have a chance to win by completing the survey at this link. The survey results are informative and empowering: your contribution will help shape the future of vulnerability and patch management and advance best practices across industries.
Interested in the full results? You can download the Enterprise Vulnerability Detection and Patch Management Status Report here.