Trend Micro Incorporated estimates that an increasing number of incomplete or faulty patches released by vendors could cost companies more than $400,000 per update.
Speaking at Black Hat USA 2022, Trend Micro representatives engaged in the Zero Day Initiative (ZDI) program announced policy changes aimed at addressing the significant decline in patch quality and communication between security providers and their customers.
Brian Gorenc, senior director of vulnerability research and head of ZDI, is blunt: “The ZDI program has disclosed over 10,000 vulnerabilities to vendors since 2005. However, we have never been more concerned about the status and quality security patches on the market. Vendors that release unsuitable versions with poorly written reviews waste a lot of time and therefore money for their customers and add unnecessary exploitation risks. »
The Zero Day Initiative has identified three major issues with vendors releasing inappropriate or incomplete patches:
1. Due to flawed security vendor practices, organizations no longer have a clear view of the real risk to their networks and equipment.
2. With incomplete or non-performing updates, companies spend more time and money fixing what they have already addressed.
3. Because they mistakenly believe that the correction has taken place, companies are at higher risk. A poorly designed patch is ultimately more risky than no patch at all.
These scenarios effectively multiply the cost of remediation as additional updates are required to address the same vulnerability, wasting business resources and inducing additional risk.
In addition, the growing reluctance of security vendors to provide their customers with reliable patch information, written in plain language, prevents network protectors/defenders from accurately assessing their risk exposure.
The Zero Day Initiative is therefore modifying its policy of disclosing patches deemed ineffective with the aim of bringing improvements to the community of users of digital services. Going forward, the standard 120-day time frame will be reduced for bugs/vulnerabilities believed to be the result of bypassing a security patch, as follows:
30 days for the most critical cases where exploitation is expected,
60 days for critical and high severity bugs for which the patch offers some protections,
90 days for other severity levels where no imminent exploitation is expected.
30 days for the most critical cases where exploitation is expected,Even when patches are properly designed, they can unintentionally increase risk by alerting threat actors to the underlying vulnerability. Few organizations have a patching time that is shorter than the operating time. When the patches are incomplete or defective, the risk of compromise is therefore multiplied.
Although the cost of patches differs between companies, Trend Micro applies the following formula: Total costs = f (T, HR, S, PF).
T is the time devoted to patch management, HR represents the cost of the human resources necessary for patch management specialists, S is assimilated to the perimeter defining the number of applications to be patched and PF represents the patch frequency, which may be every 2 or 3 weeks for some applications.
It is not uncommon for the cost of patches in medium and large companies to be calculated each month in tens or even hundreds of thousands of euros. _ Regardless of the formula used to calculate patching expenses, applying multiple patches for the same vulnerability is likely to cost organizations time and money, while exposing them to unnecessary risk.
To better understand and mitigate these risks, Trend Micro recommends that organizations:
Develop rigorous asset detection and management programs.
Take a position, as far as possible, by choosing security solutions from suppliers deemed to be the most reliable.
Regularly perform risk assessments that go beyond Patch Tuesday, such as monitoring patch revisions and closely observing changes in the cyber threat realm.
Learn more about ZDI’s policy changes: https://www.zerodayinitiative.com/b…
#Cybersecurity #0Day #ZeroDay #ZeroDayInitiative