- Trend Micro warned that a growing number of incomplete or faulty patches could be costing organizations upwards of $400,000 per update.
- The growing reluctance among vendors to deliver authoritative information leaves network defenders unable to accurately calculate the risk.
- Trend Micro stated that it is not uncommon for patch costs within medium-to-large enterprises to exceed six figures every month.
The cybersecurity company, Trend Micro warns of a decline in the quality of security patches that can cost organizations upwards of $400,000 per update. Trend Micro’s Zero Day Initiative announced the policy change that aims to address the decline in quality of patches and vendor communication with customers at Black Hat USA 2022. You can take a look at the details of the policy changes on the ZDI’s blog post.
Incomplete or faulty patches
Zero Day Initiative announced their findings about the reasons behind the faulty or incomplete patches. According to the company, there are three primary issues:
- Due to flawed vendor practices, enterprises no longer have a clear view of the true risk to their networks.
- Due to incomplete and faulty updates, enterprises spend additional time and money patching what they’ve already patched.
- Due to falsely believing remediation has occurred, a failed patch results in more risk than no patch at all.
These can cause the cost of patching to multiply because additional corrective updates will be required to address a vulnerability, which leads to wasting resources and adding risk. Also, the reluctance among organizations to deliver authoritative information about the patches prevents network defenders from accurately gauging their risk exposure.
Thus, ZDI decided to change its disclosure policy for patches with issues. The standard 120-day timeline will be reduced for bugs believed to be the result of a bypassed security patch, as follows:
- 30 days for the most Critical-rated cases where exploitation is expected
- 60 days for Critical- and High-severity bugs where the Patch offers some protections
- 90 days for other severities where no imminent exploitation is expected
Trend Micro calculated the cost of faulty patches with a formula, which includes time spent on patch management, human resources costs needed for patch management specialists, scope defining the number of applications to be patched, and patch frequency, which can be every 2-3 week for some applications.
Can cost more than $100,000 every month
According to the calculation, the patch costs of medium-to-large organizations can be more than $100,000 every month. Also applying multiple updates for the same vulnerability can cost time and money while exposing to unneeded risk. To better understand and mitigate these risks, Trend Micro recommends that organizations:
- Develop rigorous asset discovery and management programs
- Wherever possible, vote with their wallets for the most trustworthy vendors
- Conduct risk assessments that go beyond Patch Tuesday; for example, by monitoring for patch revisions and closely observing for changes to the threat landscape
Brian Gorenc, senior director of vulnerability research and head of the ZDI said,
« The ZDI has disclosed over 10,000 vulnerabilities to vendors since 2005, but we’ve never been more concerned about the state of security patches across the industry. Vendors that release inadequate patches with confusing advisories are costing their customers significant time and money and adding unnecessary business risk. »