Mind the Patch Gap

The Patch Gap

Its time to discuss what tends to be overlooked when it comes to cyber defences for an organisation. What is known in the industry as the “Patch Gap”. This is the time a CVE is known and patch is available to the time it then takes to get it patched.  This number is very important, as it represents a window being left open for all attackers, and as it is a CVE, it comes with a convenient “how to guide” readily available.

Being an industry that loves an acronym, we are going to be talking a bit about MTTR – Mean Time To Remediation. Typically a study will break this down further, as not all CVE’s are rated the same or as time critical to get remediated. According to one study (Days needed to patch digital vulnerabilities by severity 2023 | Statista) which broke this down, Critical and High rated CVE’s were patched typically between 88 and 82 days, whilst low rated vulnerabilities too close to 10 months.

The MTTR also varies dependent on the size of the organisation, industry it is in as well as breaking down Internet facing applications or internal. This is a great report put together : 25+ Cyber Security Vulnerability Statistics and Facts of 2024 (comparitech.com) combing a few different statistics.

Why is the time it takes to get patches applied important? Lets look at a list compiled of the top 10 Exploited Vulnerabilities (up until the end of 2023) from 💬1 – Top 10 Exploited Vulnerabilities in 2024 [Updated] (getastra.com):

List of Top 10 Exploited Vulnerabilities

  1. ZeroLogon (CVE-2020-1472)
  2. Log4Shell (CVE-2021-44228)
  3. ICMAD (CVE-2022-22536)
  4. ProxyLogon (CVE-2021-26855)
  5. Spring4Shell (CVE-2022-22965)
  6. Atlassian Confluence RCE (CVE-2022-26134)
  7. VMware vSphere (CVE-2021-21972)
  8. Google Chrome Zero-Day (CVE-2022-0609)
  9. Follina (CVE-2022-30190)
  10. PetitPotam (CVE-2021-36942)

Zerologon has been around since 2020, Log4Shell late 2021. Patches have been available for a very long time. But the MTTR shows that whilst some organisations may be very good and fast at patching critical vulnerabilities, others are not, and attackers are targeting them.

This Patch Gap that is occurring is going to become a bigger problem for organisations as stricter requirements and frameworks are introduced. We are already seeing key cyber security frameworks pushing Critical and High CVE patching / mitigation to be within hours when possible. Look at the requirements for NIST CSF, PCI DSS v4. In my own native Australia, you have the Essential 8 and the AESCSF calling for 48 hours to mitigate or patch Critical or High risk CVE’s.

But how are organizations going to meet this challenge? It is fairly safe to assume that the MTTR is what it is not by choice. Organizations have processes to follow, and patches have been known to break things, so these organizations are going to be in a very difficult if not impossible spot of trying to balance the need for protection and the need to minimize or eliminate any business risk.

This is another area Innoculator can help. Using a virtual patching approach is a recognized mitigation that can be put in place very quickly and not break your workloads whilst massively reducing your MTTR from an average now of 2 and a half months to just hours.