A new study challenges conventional wisdom about manual patching
Quick question: How much time and money are you spending on patching known vulnerabilities? There’s a good chance your answer is “not enough.” There’s a better chance that the ultimate answer to the issue of patching isn’t just more money.
The Ponemon Institute’s recent study on The State of Vulnerability Response points out that spending on headcount for patching is on the rise, but that the biggest barrier to fixing flaws isn’t just a lack of bodies. There are more fundamental issues that need to be addressed that would reduce the pressure to increase headcount at a time when there is a shortage of skilled security engineers.
Ponemon calls this the “Patching Paradox” – the belief that more staff dedicated to vulnerability response will equal better security. Yet, hiring additional staff (as 64% of Ponemon’s survey respondents plan to do) does nothing to solve the two underlying patching issues: too many manual processes and too many siloed tools.
One of the enlightening statistics found in the Ponemon report concerns how much time and money organizations spend on average for patching: 321 hours per week dedicated to CVE response. At an average rate of $63 USD per hour for security engineers, that works out to be more than $20,000 per week and more than $1 million per year.
And yet, 61% of respondents say that manual processes put them at a disadvantage compared to attackers. To quote the study,
“…firms struggle with patching because they use manual processes and can’t prioritize what needs to be patched first. Coordinating vulnerability response across multiple teams exacerbates this struggle, leading to long delays and vulnerabilities that slip through the cracks.”
The Ponemon study concludes that the best solution is to rely more on automation to replace manual processes along with using tools that complement, not complicate, efforts to improve patching. One example is Runtime Virtual Patching.
Traditional virtual patching also known as virtual shielding, is used by Web Application Firewall (WAF) and most RASP providers, as a way to quickly protect applications against known CVEs. Traditional virtual patches still leave you vulnerable to attack, though, since these tools do not fix the flawed code and often result in false negatives and false positives. Routine tuning is also required for a patch to remain effective against attacks.
Waratek’s Runtime Virtual Patches are fundamentally different. A runtime virtual patch is the functional equivalent of a physical binary patch that is applied while the application runs with no source code changes and no tuning required. The known CVE is fixed in the compilation pipeline of Java and .NET applications, reducing the time-to-patch across an enterprise to a matter of minutes.
A single patch administrator can download and deploy routine and out-of-cycle runtime virtual patches across an entire application estate in a matter of minutes – work that according to Ponemon now takes an average of nearly 17,000 work hours per year. And, Runtime Patching solutions can save 75% – 90% compared to the $1 million spent annually on the average traditional patching program.
There’s one other significant benefit of Waratek’s Runtime Patches: You get to avoid the business consequences of a successful attack against a known, but unpatched vulnerability. And, there’s no price that can be assigned to that peace of mind.