Lots of Tricks, No Treats: Patching Horror Stories Scarier Than Halloween
Gather ‘round for a Halloween horror story so frightening it’ll make you WannaCry.
Okay, that was a bad pun, but a good example to start with. WannaCry might be the ultimate patching horror story as far as total systems impacted in a short period, but it is one example in a much larger and scarier industry-wide challenge.
The WannaCry ransomware attack encrypted an estimated 200,000 computers in 150 countries in a matter of hours. That’s plenty scary. Even worse: a patch was available. The bigger challenge we face is not a single vulnerability, but hundreds of vulnerabilities exposing our environments daily – and many of these can be mitigated or patched today.
If you are familiar with the CISA KEV (Known Exploited Vulnerabilities) catalog, you are aware of a small part of the problem. The KEV list was created in response to Binding Operational Directive 22-01 which was launched in November 2021. Since its inception, the list of vulnerabilities being tracked has grown to 848 CVEs (after the addition of six new CVEs on October 24th, 2022).
Here are some scary statistics about the CISA KEV catalog:
- The oldest CVE on the list is CVE-2002-0367, which is an elevation of privilege vulnerability in Microsoft Windows 2000 and NT4.
- 90% of the CVEs on the list are 10+ months old. 769 CVEs in the CISA KEV catalog are older than 2022.
- 71% of the CVEs on the list are from 2020 or earlier. 601 CVEs in the CISA KEV catalog are older than 2021.
- 34% of the CVEs on the list are over five years old. 292 CVEs in the CISA KEV catalog are older than 2018.
- The scariest statistic to be concerned about is how many known exploited CVEs there are that are not included in the CISA KEV list. Ivanti Risk-based Vulnerability Management platform is tracking 29,579 known exploited vulnerabilities as of the end of Q3 2022.
What’s the problem?
Why are companies neglecting to patch critical vulnerabilities?
We can’t speak for everyone, but we know from our extensive experience in this space that a lot of it comes down to complete and total overwhelm. Patch management challenges are crippling security teams, which are already understaffed and spread too thin.
The sheer volume of vulnerabilities is crushing, and there is a constant stream of new vulnerabilities which makes it feel impossible to get ahead.
It’s understandable that security teams feel like they’re playing Whac-a-Mole. And that feeling is valid, because no security team, no matter how robust, can expect to manually keep pace with every threat.
According to a study by Ivanti, 71% of IT and security professionals find patching to be overly complex and time-consuming. More than half (53%) say they spend the most time each month organizing and prioritizing vulnerabilities. That’s extra scary, because as time passes with vulnerabilities unpatched, the exposure level rises.
This story could have a happy ending
The problem is clear. So, what’s the solution? Risk-based vulnerability management (RBVM) blended with automated patch intelligence. This powerful combination can ensure you are automatically prioritizing patches based on their risk.
RBVM + Patch can consider threat context and the organization’s unique security posture for a tailored approach that alleviates a major burden on IT and security.
Threat actors are working quickly, adapting and elevating their efforts to stay ahead of security teams. Without automated, intelligent solutions, organizations will constantly be playing from behind, reacting instead of preventing. That’s costly and exhausting.
If your organization hasn’t already invested in a RBVM and automated patch intelligence solution, now is the time. By next Halloween, you could have the treat of far fewer tricks.