Overwhelmed by patches? You're not alone

Overwhelmed by patches? You're not alone

Study finds that half of IT departments struggling to keep up with flood of patches

Feeling like too much of your time is taken fixing up software with patches? You probably have some legitimate gripes: A study by security firm Tripwire found that almost half of the 483 IT professionals surveyed struggle to keep up with the volume of patches coming their way — or worse, find themselves completely overwhelmed by the amount of patch work that needs to be done.

The sheer volume of patches can indeed be staggering: According to Tripwire's research, there were 2,804 patches for Windows in 2015, and 2,859 for patches for Red Hat Enterprise Linux (RHEL).

But according to respondents, it's not the amount of patches but how well the process is managed by the vendor that matters most.

It's not about how many patches you have to apply, it's about information, about how you receive and install them and how reliable those patches are, said Lane Thames, a security researcher with Tripwire.

Indeed, Windows and RHEL were ranked among the easiest platforms to patch, along with Google Chrome.

Meanwhile, Oracle Database (276 patches), Java (116 patches), and Cisco IOS (62 patches) were ranked as the hardest platforms to patch, even with relatively few patches.

Microsoft is setting the gold standard. It's monthly, you can plan around it, it's well documented, Thames said. "Sporadic deployment is causing difficulty, unless it's a patch addressing know exploits that are in the wild.

But Microsoft, in an effort to better meet the needs of a wide array of users, might be making it harder for those customers.

Windows 10 patch releases have demonstrated a shift away from straightforward Windows patch management. Gone is a single line of security patches as used by previous versions of Windows; instead we see a shift toward multiple release branches, all with different rules for patching, the report found. The new line of servicing options is confusing and reminiscent of Cisco’s versioning. As we’re discussing Patch Fatigue, it’s probably worth noting that only one-third of Cisco IOS administrators are able to decipher which updates to install without contacting Cisco’s technical support team. Windows 10 appears to be heading down a similar path, with only one-third of those surveyed feeling that Windows 10 has improved patch management.

That's a sentiment widely shared by IT Pro readers caught in eternal Patch Tuesday battles and seeking more control over when and what patches go out into their systems.

The full study, which runs 19 pages, is available from Tripwire.

And I'd love to hear your take on the state of patching in the comments: Is Windows really where it should be on helping you manage the flow of patches, and is there anyone out there who gets the process right? Any tips for others who are facing their own patch fatigue?

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish