Most IT professionals are aware that endpoint patching and hardening are basic functions that enterprises must master to provide effective cybersecurity. Most are also aware that there is a lot of room for improvement in the way their own organization performs these functions.
But most IT professionals admit that they don’t have a good feel for exactly how important endpoint patching and hardening are relative to other security controls, how well most enterprises are handling them now, and what are the most common problems enterprises have in performing them.
This report sheds light on those questions using data from a survey of 560 IT operations and security professionals at enterprises with between 500 and 25,000 employees, across more than 15 industries and at government agencies.
Our goal is to help readers benchmark the performance of their organizations against peers and develop insights into how to make improvements that will pay off.
The Advantages of Better Cyber Hygiene
Why should IT professionals care about improving cyber hygiene? Because it can help IT organizations address three major objectives:
1. Reducing risk
Endpoints that are quickly and effectively patched and hardened are much less vulnerable to compromise and much less likely to be involved in data breaches.
2. Lowering cost
Streamlining and automating patching and hardening can dramatically improve the productivity of IT operations and security operations (SecOps) personnel, reduce the number of alerts that teams have to investigate, and free staff to handle other critical operations and security work.
3. Accelerating business innovation
Faster, more reliable processes for patching and hardening, and extending those processes to new technology areas, enable enterprises to quickly and confidently take advantage of innovations in areas like mobile computing and cloud platforms.
Summary of Findings
Missing patches and misconfigurations are three of the four leading root causes of data breaches. Missing OS patches was cited as the #1 technical attack surface exposure to cause a data breach. (See Figure 2.) A case can be made that improving cyber hygiene is the most cost-effective way to break the “kill chain” of many advanced attacks.
Survey participants are least confident about maintaining cyber hygiene for systems at remote sites, servers and desktops on cloud platforms, and mobile devices. (See Figures 3, 4, and 5.) This probably reflects the fact many enterprises are using manual methods or patch management and hardening tools designed for corporate data centers and offices which are difficult to use or can’t be used at all for remote and cloud environments.
Few organizations patch endpoints fast enough or harden them frequently enough to protect against new threats, especially zero-day attacks. (See Figures 5, 6, 7, and 8 on pages 8, 9, and 10.) Less than half can patch affected systems in three days or less (fast enough to defend against most new critical threats). Only about twenty percent can patch in a day or less (fast enough to secure organizations against zero-day attacks). Perhaps most discouraging, almost sixty percent harden desktops, laptops, and servers only monthly or annually, which is an invitation to adversaries.
Enterprises say they prioritize patching and hardening, but are inhibited by basic issues such as difficulty patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, lack of automated patch management, and insufficient staffing in SecOps and IT operations. (See Figures 9 and 10.) Either managers in many enterprises are only paying lip service to prioritizing patching and hardening, or they are not aware of solutions like cyber hygiene platforms that can overcome these inhibitors.
Organizations that have fully automated endpoint patching and hardening are outperforming others in the speed and frequency of hardening. Automation isn’t a panacea, but it certainly helps. There is a very strong correlation between automation and the ability to patch endpoints faster and harden them more frequently. Clearly, most enterprises should be automating more of their patching and hardening processes.
Is there evidence that endpoint patching and hardening can reduce data breaches?
Yes, definitely! When asked about the root causes of data breaches, respondents cited a missing OS patch as the #1 technical attack surface exposure. And three of the four most common root causes of those breaches can be addressed with better cyber hygiene.
When it comes to cyber hygiene, which IT components are under control and which keep IT teams up at night?
Organizations are most confident about cyber hygiene for on-premises systems and SaaS applications. Remotely located and mobile systems cause the most concern because they are harder to reach and aren’t handled well by legacy patch management and hardening tools.
"Many organizations are using patch management and hardening tools that were designed for on-premises systems and don’t provide good coverage of remote computers, mobile devices, and cloud-based systems."
What factors make systems easier (or harder) to patch?
Organizations are most confident about patching on-premises physical servers, and least confident about systems that are in the cloud, and/or desktops, and/or virtual.
Few organizations patch fast enough
Can organizations patch fast enough to head off new threats before they are weaponized and deployed? Unfortunately, less than 50 percent of organizations can patch critical vulnerabilities within 72 hours of disclosure, and only about 20 percent can patch within the 24-hour window available to stop zero-day attacks. Also, around 15 percent of systems remained unpatched after 30 days.
Speed of Response
Do survey respondents think their organizations can respond quickly enough to threats? A full 59 percent agree that their processes and tools do not enable them to respond quickly enough to zero-day threats. Their answers show a general room for improvement in responding to new threats.
Enterprises are playing with fire on hardening
Do organizations harden systems frequently enough to protect themselves? About 20 percent are hardening systems daily or hourly, but almost 60 percent perform this task only monthly or annually.
"We were very discouraged to see that almost 60 percent reported that hardening is done only monthly or annually—a very serious state of affairs that requires more attention from enterprises."
Factors Preventing Effective Endpoint Patching and Hardening
Recognizing the need for improvement is a first step, but to decide exactly what to improve we need to understand the factors that are preventing endpoint patching and hardening from being carried out effectively today.
Obstacles to patching on-premises and cloud-based systems
What factors inhibit organizations’ ability to patch systems on premises and in the cloud? While patching is not considered a low priority, organizations are struggling with a combination of issues ranging from inability to take systems offline, to difficulties working with systems in remote locations, to inefficiencies in basic patching processes.
A Brief Introduction to Cyber Hygiene Platforms
Good business people never raise issues without recommending a solution, or at least suggesting how to find a solution, so that’s what we’ll do here.
Cyber hygiene platforms can address many of the problems raised by the participants in this survey. They are designed to systematize and automate many of the tasks that go into patching and hardening endpoints. That includes automating and managing processes that:
Provide visibility into all the endpoints in the enterprise and maintaining a complete inventory of the software on them
Identify missing patches for operating systems and both approved and unapproved application software
Identify misconfigurations and compliance issues
Deploy and install software on endpoints
Run scripts to fix configuration issues
Ensure reliable patching and hardening of systems used by remote users and global workforces
Provide reporting and documentation showing that patching and hardening activities are being carried out in compliance with regulations and corporate policies The best cyber hygiene platforms extend these processes not only across data centers and corporate offices, but also to remote locations and cloud platforms. They handle applications deployed in containers and virtual environments across multiple operating systems. You can probably imagine how these capabilities can minimize or eliminate many of the issues and inhibitors raised in our survey. For example, a cyber hygiene platform can help an organization:
Better manage patching and hardening of systems in remote locations and on cloud platforms and applications in containerized and virtual environments
Protect mobile devices and workers, even when they infrequently connect to the corporate network
Speed up patching enough to protect against even zero-day attacks
Harden systems on a continuous basis to dramatically reduce the window in which adversaries can exploit misconfigurations
Improve staff productivity so existing SecOps and IT operations teams can manage patching and hardening for more systems, across more environments, with less effort
Ultimately, these capabilities can enable IT organizations to succeed in the three areas we mentioned at the beginning of this survey: reducing risk, lowering cost, and accelerating business innovation.