Today is patch Tuesday. A group of major software vendors released 567 patches.
Microsoft released patches for 113 vulnerabilities.
Oracle released patches for 405 vulnerabilities.
SAP, Intel, Adobe and VMWare accounted for another 49.
If you read last week’s post on the 24/72 metric, this means that you have to apply 500+ patches in less than 72 hours.
THIS IS NOT POSSIBLE.
Of course you have to review those 567 patches to figure out which ones are important since you can’t install them them all and don’t want to create that level of instability.
What this means, however, is that you have to create a process. That process takes human bandwidth, which everyone, of course, has extra. NOT!
Remember that 567 number does not include line of business vendors. Or likely many smaller vendors.
Hopefully you are not an Oracle customer (sorry Oracle). If so, that greatly reduces that number THIS MONTH.
This is a major task to do month in and month out.
Even if you are not going to “go for” the 24/72 hour number (for those that didn’t read last week’s post, the standard now is 24 hours to deploy zero day patches and 72 hours for the rest because hackers start to weaponize these bugs in 7 days – so you have, on average, half that time to stop them).
Every organization should come up with a plan – whatever that plan is – and review it with management so that they understand and accept the risk.
While this is not IT’s FAULT, this one is IT’s PROBLEM to fix.
Management needs to own the risk, however, since you can deal with it – at a cost of either not doing other tasks or adding resources.
As a side note, this is one huge benefit of cloud-based software as a service. You don’t have to worry whether Netflix or Facebook or Google have deployed their patches because you have outsourced that problem to them. You do need to include that subject in your vendor cyber risk management questionnaires, of course.
Source: Dark Reading