Are Your Software Patches Keeping Up With Your SLAs?
If you’ve seen the headlines in the last year, then you know that unpatched software is responsible for some of the most damaging cyberattacks companies face.
In fact, according to a recent study by ServiceNow, nearly 60% of organizations that suffered a data breach in the last two years were attacked via a vulnerability for which they hadn’t deployed a patch for yet.
It gets worse: 34% also said they knew their systems were vulnerable prior to the attack. That’s the equivalent of receiving a police bulletin that known burglars were spotted in your neighborhood, yet leaving your front door unlocked anyway.
This reflects a major misconception when it comes to patching. The popular view is that a vulnerability is discovered, and then there’s a race between hackers to weaponize it and software companies to patch it. Once it’s patched, the race is over.
However, in reality that’s when the race truly begins. A patch only works when it’s installed, not just available. In a report by Flexera, they found that 86% of all vulnerabilities in 2017 had a patch available on the day of disclosure. While deploying a patch the same day it’s available seems like it should be the standard operating procedure, in reality it can take weeks, months or sometimes even years to deploy a patch.
What’s the hold up?
A manual patch deployment process plays a large role. According to the ServiceNow study, 12 days are lost just in coordinating across teams for every vulnerability they patch. Reasons for this include:
1. Having no common view of assets and applications across security and IT (73%)
2. Things slipping through the cracks because emails and spreadsheets are used to manage the patching process (57%)
3. No easy way to track if vulnerabilities are being patched in a timely manner (62%)
Given these statistics, it’s hard to believe that some or even many companies are meeting their security level agreements (SLA). An SLA is commonly used to get in writing the security requirements and expectations for either an outsourced vendor or internal resource like the IT department. This includes scanning for vulnerabilities, code quality control and patching.
When it comes to patching, an SLA usually covers patching standards for things like:
Partners expect patches quickly so data doesn’t get compromised when it could have been easily prevented.
Just one device can lose massive amounts of data. An SLA will often state that 100% of devices must be patched within a certain period after patch release.
It’s not enough to patch everything quickly. It must be verified with agreed-upon reporting standards.
Given the prominence preventable data breaches have been given in the news thanks to the Equifax breach and the WannaCry attack, SLAs are being more strongly enforced or rewritten to make patching a priority. That means a data breach won’t only mean a loss of data; it will also mean a breach of contract and all the fines, penalties and litigation that can go along with it.
There’s no standard for SLA targets; depending on the severity of the vulnerability it can range from hours to sometimes months or even years. However, we can be sure these policies will be given a close look to determine if they’re timely enough.
If they’re not, or even if they are, do you or your vendors have the tools in place to achieve them? The answer might determine if it’s your company’s name that makes it in the next headline.
READY TO ACCELERATE PATCH DEPLOYMENTS?
Keep up with Windows as a Service without sacrificing your network.
Related Blog Posts
When it comes to large, distributed enterprises like retailers or banks, every location has its own data challenges to overcome. Tier 1 locations, like a global headquarters, can have thousands of employees in one building, while some large corporate campuses may...read more
When it comes to enterprise video, internal communications teams always begin with the best of intentions. They envision live video being used to connect corporate leaders with offices around the world so the CEO can deliver her vision live instead over email. Or...read more
At first glance, the challenges between delivering video content and delivering software content couldn’t be more different. With video, dropped data packets and network delay can lead to significant performance problems such as stalling and buffering. While these...read more