Cybersecurity company Trend Micro has issued a warning stating that an increasing number of inadequate or flawed patches may wind up costing enterprises up to $400,000 every update. Since 2005, Trend Micro’s Zero Day Initiative (ZDI) has informed manufacturers of over 10,000 vulnerabilities, but they’ve never been more worried about the state of security patches across the industry.
“The ZDI has disclosed over 10,000 vulnerabilities to vendors since 2005, but we’ve never been more concerned about the state of security patches across the industry,” said Brian Gorenc, Senior Director of Vulnerability Research and Head of the ZDI. “Vendors that release inadequate patches with confusing advisories are costing their customers significant time and money and adding unnecessary business risk.”
The ZDI has identified three main issues brought on by patch releases from vendors that are flawed or otherwise lacking:
- Enterprises no longer have a clear understanding of the real danger to their networks as a result of subpar vendor behavior
- Enterprises have to spend more time and money patching what they’ve already patched because of incomplete and flawed upgrades
- A failing patch would pose a greater risk than not applying one at all since users may believe remediation has already taken place
Because further, corrective updates are needed to fully address a single vulnerability in these instances, the cost of patching is essentially multiplied according to Trend Micro, wasting resources and increasing risk.
Network defenders would also be unable to appropriately assess their risk exposure due to a rising unwillingness among vendors to offer authoritative information on fixes in clear English.
Therefore, in an effort to promote improvements across the sector, the ZDI is modifying its disclosure policy for ineffective patches. For issues thought to be caused by a security patch bypass, the usual 120-day timeline will now be shortened as follows:
- 30 days for instances with the highest Critical ratings where exploitation is anticipated
- 60 days for defects with a Critical or High severity for which the Patch provides some safeguards
- 90 days for other severities where there isn’t a chance of exploitation right away
Patches may unintentionally enhance risk by making threat actors aware of the underlying vulnerability, even when they are well designed and developed. The time-to-patch for few organizations is shorter than the time-to-exploit. According to Trend Micro, the chance of compromise increases when patches are incorrect or insufficient.
Although patch prices vary by business, Trend Micro used the following calculation to determine how much defective patches cost: Total expenses equals f (T, HR, S, and PF), where T is Time spent managing patches, HR (Human Resources costs), S (scope determining the amount of apps to be patched), and PF (patching frequency), which for some applications can be every two to three weeks.
Patch expenditures within medium- to large-sized businesses can surpass six figures each month. Applying repeated updates for the same vulnerability costs organizations time and money while exposing them to unnecessary risk, regardless of the method used to compute patch expenditures.
Trend Micro suggests that businesses do the following to better comprehend and reduce these risks:
- Create rigourous asset management and discovery programs
- Vote with their cash whenever feasible to support the most reliable vendors
- Conduct risk analyses that go beyond Patch Tuesday, such as by keeping a watchful eye out for changes to the threat landscape and keeping track of patch updates
