Enterprises Patching Faster Than Ever, But Still Not Fast Enough - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:28 PM

Enterprises Patching Faster Than Ever, But Still Not Fast Enough

Two out of every three machines have critical vulnerabilities, a security researcher says.

Even though two out of every three machines are vulnerable to one or more critical vulnerabilities, enterprises are managing to patch faster than ever, a researcher said on the eve of his keynote speech at a security conference.

The "half-life" of vulnerabilities -- the amount of time it takes companies to patch half of their systems against a newly-disclosed bug -- continues to drop, said Gerhard Eschelbeck, the chief technology officer of Qualys and the creator of his self-titled “Laws of Vulnerabilities.” Eschelbeck based his research on statistical analysis of 21 million critical vulnerabilities, and 32 million network scans conducted over a three-year period.

"We've made significant progress in reducing the window of exposure," said Eschelbeck, noting that the half-life for a critical vulnerability on an externally-facing computer is now 19 days, down from 2004's 21. In 2003, the half-life of such systems was 30 days.

But not all machines get patched that quickly. "There is a large disparity between external and internal systems," said Eschelbeck. "Systems inside have a half-life of 48 days, compared to 19 for external systems. In large part, that's due to the perception, rightly deserved, that the risk on external machines is higher."

Even so, companies have made dramatic progress in patching internal computers, too; the half-life of these computers was cut by 23 percent in the last year, said Eschelbeck, down from 62 in 2004.

But the quickened patching pace has been more than matched by an almost three-fold speed increase on the part of exploits. "Automated attacks [now] create 85 percent of their damage within the first 15 days from the outbreak," said Eschelbeck. Last year, he reported that 80 percent of the damage was done in the first 42 days.

One way to compete with that boost in attack and damage speed is to press vendors to provide regularly-scheduled patches. According to Eschelbeck's data, patches released on a predefined schedule -- monthly or quarterly -- are deployed 18 percent faster than those for vulnerabilities whose fixes are released ad hoc.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll