It’s no secret that security is difficult. There are so many moving parts within corporate networks, it can be challenging to keep track of all the digital assets that you might have. Paired with the never-ending need to update and patch to keep on top of security issues, new developments or feature enhancements add an additional layer of complexity. Microsoft, Adobe and other major software providers try to make life easier for IT professionals by releasing scheduled updates with as much notice as possible. However, each update can have tens or hundreds of individual patches rolled up into one package.
According to the Qualys Threat Research Unit’s (TRU) TruRisk Research Report, patching software vulnerabilities took just over 30 days on average. Compare that to the 19.5 days it took threat actors to create a weaponised exploit for one of those vulnerabilities. This gap indicates that threat actors have just over 11 days to target companies with that exploit.
Patching performance and prioritisation
Diving further into this data, TRU saw company security teams patch effectively and efficiently around commonly deployed software like Microsoft Windows and Google Chrome. They beat the threat actors and their ability to take advantage of these issues. On average, the most commonly used operating system and web browsers were patched twice as fast and twice as frequently as other software assets. The mean time to remediate (MTTR) issues in Windows and Chrome globally is 17.4 days, or about two and a half weeks, with an effective patch rate of 82.9%.
Another interesting finding is that ransomware attack exploits normally take around 45 days to target a vulnerability. This is much slower than other attacks, so security teams should be able to patch vulnerabilities before they can be exploited. Ransomware attacks often happen when patches are missed, so checking how well your team is patching all your assets is essential.
Automation makes a significant impact. It can help security teams remediate issues faster than they could have achieved by manually rolling out fixes. It is a big part of why the performance around Windows and Chrome is so efficient. Patches that can be deployed automatically were implemented 45% more often and 36% faster than manual patches. Vulnerabilities that you can deploy with a patch management solution have a mean time to remediation of 25.5 days. Manually patched vulnerabilities were remediated in 39.8 days. By making it easier to roll out patches at scale, security teams can improve their performance and prevent attacks from succeeding.
Misconfigurations are just as challenging
Misconfigurations can be just as problematic as software vulnerabilities. A misconfiguration is when any IT system is not set up correctly, affecting traditional endpoints and servers, web applications and cloud deployments.
TRU scanned anonymised data from more than 370,000 web applications in 2022 and detected more than 25 million security issues. The biggest group are security misconfigurations, as defined in the Open Web Application Security Project (OWASP) Top Ten list.
Other common faults in web applications are broken or missing access control, poor or missing encryption for data, and susceptibility to injection attacks. Misconfigurations were also responsible for 24,000 web applications being used to host malware.
The good news is that help is available. For cloud deployments, the Center for Internet Security has published benchmarks for the major cloud service providers, spreading awareness of best practices that should be followed. Comparing your existing deployment against these benchmarks can show up any potential problems.
However, it is not as simple as just checking for current status. Companies have to benchmark their approach to deploying preventative controls that can stop mistakes from being made in the first place.
For example, according to TRU, only 1% of AWS S3 cloud storage buckets are publicly available, which shows that the vast majority of IT professionals follow this best practice. However, only 50% of companies use the two preventative controls available to manage S3 buckets and prevent public access. In practice, this means that half of companies can easily make a mistake and expose their S3 buckets because they do not enforce preventative measures as standard.
The challenge of access control
Ensuring effective access management is crucial for all of your IT services. In addition to managing access to traditional IT devices or networks, it is important that you don’t forget to address access control for your cloud services, deployed applications in the cloud, and web applications. Overlooking any of these areas can result in possible security breaches.
For example, cloud services are built to be easy to use and fast to get started, but they are often not secure by default. In the rush to get a new service or application online, it is easy to skip over best practices like changing default passwords or enforcing access control with two-factor authentication.
For developers, the pressure to implement new features and functionality quickly can lead to later problems. For instance, items like security credentials can be included within software repositories, where an attacker can make use of them after an initial breach. This comes down to good security hygiene. Using tools to manage secrets and access credentials is more effective than relying on people to implement secure code best practices, so use both to improve your security posture.
For web applications, broken access control allows attackers to violate permission rights and gain access to those applications or other resources. One example is forced browsing to pages behind authentication, while unauthorised privilege escalation for authenticated users is another problem to look out for. In some cases, access control is completely missing. Implementing access control across all your systems is necessary to make things harder for attackers to get in, and harder for them to find secrets or credentials if they do gain access.
Using data to prioritise
One significant lesson for security teams from analysing this data is that there will always be ongoing issues to address. To enhance your ability to respond, you can combine automation, prioritisation, and mitigation techniques to increase effectiveness. Automation, particularly in areas like patch management, can efficiently handle numerous issues that would otherwise consume valuable time. Prioritisation allows your team to focus their efforts on critical areas. Implementing mitigation processes addresses multiple potential problems simultaneously, instead of tackling each issue individually.
It’s important to note that applying this approach will vary for each company and IT security team. There is no universal model that guarantees success in achieving your goals. Instead, examine your own security data alongside broader threat intelligence feeds to identify and concentrate on your priorities. By doing so, you can allocate your most valuable resources — your people — to address the most urgent risks your organisation might face.
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions with over 19,000 active customers in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings.
The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance, and protection for IT systems and web applications across on premises, endpoints, cloud, containers, and mobile environments. Founded in 1999 as one of the first SaaS security companies, Qualys has established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform, and managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, HCL Technologies, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance. For more information, please visit www.qualys.com.