IT exec: Apply patches on schedule, not demand

Organizations that update their software security patches on a regular schedule tend to apply patches faster than those that install them as needed, the chief technology officer at Qualys told hundreds of information technology industry representatives today.

Organizations that followed a predefined monthly process of patching on average install the upgrades 18 percent faster than organizations that implement them only when warned of vulnerabilities, said Gerhard Eschelbeck, who is also Qualys’ vice president of engineering.

This should be food for thought in the industry, where there’s a lot of discussion about whether it’s more secure to patch on a schedule or simply address vulnerabilities as they are revealed, Eschelbeck said during the Computer Security Institute’s 32nd Annual Computer Security Conference and Exhibition in Washington, D.C.

To reach its conclusion, Qualys performed a statistical analysis of 32 million vulnerability scans of 2,000 customers between 2002 and 2005, Eschelbeck said.

The company also found that organizations’ patching behavior mirrors the half-life of radioactive materials, Eschelbeck said.

Half-life is the scientific term for the time for 50 percent of a radioactive material to decay into a nonradioactive substance, such as uranium into lead.

Qualys found that the half-life of patching –- the time for 50 percent of companies to have patched a given vulnerability –- for systems connected to the Internet in 2005 was 19 days. For internal systems, the half-life was 48 days.

Comparatively, “19 days is pretty good” for externally facing systems, Eschelbeck said. The 48-day half-life is “obviously a significant window of exposure for organizations.”

Both figures, however, are improvements over 2004. Last year, the half-life was 21 days for external systems and 62 days for internal systems, Eschelbeck said.

A long half-life doesn’t necessarily mean an organization is unprotected, Eschelbeck noted. Organizations can use access-control lists and other technologies to temporarily protect their systems until a patch is installed, he said.

Eschelbeck said he would like to see the half-life of patching decrease an additional 20 percent in 2006, to 15 days for external systems and 38 days for internal systems.

He believes that is a reasonable goal, but any improvements beyond that start pushing the physical limits of organizations’ ability to patch quickly, he said.

To cut that additional 20 percent, organizations must know the Top 10 vulnerabilities they face and prioritize patching them, Eschelbeck said. That’s because the Top 10 weaknesses cause 90 percent of security problems, he said.

Organizations must also start enforcing security on their networks, Eschelbeck said. They must make sure that all devices they want to use are secure before they connect the items to the network.

This field, called network admissions management, will hit its stride in 2006, Eschelbeck said. This year, Cisco Systems released Network Admissions Control and Microsoft issued Network Access Protection, which enable customers to assess devices’ security and grant them access to networks based on it, he said.

“There’s a real need in the market for this kind of technology,” he said.