The Patching Problem

Last week in one of my ‘Short Takes’ posts, I mentioned an article that I found on the Cisco.com website, “Prioritization to Prediction”. I have finally had a chance to peruse it in detail, and I fully recommend it to any of my readers that have anything to do with patching software. This is part three of an in depth study done by Kenna Security. While there are some limitations to their statistical universe (300 of their customers, hardly a random sample), I think that some of their insights are well worth considering.

NOTE: This report is physically difficult to read because it does not scroll well. It does better in HTML than PDF (and who saves HTML?), but because of the data intense graphics, things just take too damn long to load. Someone really needs to address this issue.

A good summary can be found on page 21 in the form three of FAQ style questions:

• Can organizations remediate new vulnerabilities before exploitation? (short answer ‘yes’),

• Can organizations remediate all new vulnerabilities in their environment? (short answer ‘no’), and

• Can organizations remediate all new high-risk vulnerabilities in their environment? (short answer ‘yes’).

 

The answer to the last question relies a bunch on Kenna’s definition of ‘high-risk vulnerability’. They do not use the typical CVSS based rating, they have established a corporate definition based upon whether or not exploits are publicly available for the vulnerability. To be clear, this is not whether the vulnerability has been exploited in the wild (certainly everyone would agree that those are extremely high-risk vulnerabilities), but any vulnerability for which an exploit (presumably including proof-of-concept code and Metasploit modules) has been published. This may generally be a difficult standard for most entities to track, but apparently Kenna pushes this information to their clients.

The scariest graph in the report is the one below:

There is a lot of explanation that goes into this data (read the report please), but the short take is that for their data set (and that is apparently mainly IT systems from their customers), you never get a chance to get it all done. The vulnerabilities just keep coming and patching never catches up.