Patch management plays a critical role in minimizing security risk for enterprise information technology systems. However, according to Tripwire's study, half of the respondents admitted there are times their teams struggle to keep up with, or found themselves completely overwhelmed by, the volume of patches.
"The relationship between patches and vulnerabilities is far more complex than most people think,” said Tim Erlin, director of IT risk and security strategist for Tripwire. “Sometimes patches fix multiple vulnerabilities on specific platforms, but not others. There can be confusion between patches and upgrades, or patches and upgrades may address different, but overlapping sets of vulnerabilities. As the complexity of patch management continues to evolve, it has become more difficult for enterprise patch management teams to achieve and maintain a fully patched state."
Additional findings from the study include:
- Fifty percent of respondents believe that client-side patches are released at an unmanageable rate.
- Fifty percent feel their IT teams don't understand the difference between applying a patch and remediating a vulnerability.
- At least some of the time, 67 percent said they have difficulty understanding which patch needs to be applied to which system.
- Eighty-six percent said embedded products such as Adobe Flash patches released with Google Chrome updates make it more difficult to understand the impact of a patch.
"When we began this research, we expected patch fatigue to affect a small portion of the industry," said Tyler Reguly, manager of Tripwire VERT. "Instead, we discovered that it is a broad, sweeping issue affecting a wide range of organizations."