Despite the best efforts of software vendors, vulnerabilities continue to be discovered. To address them, some vendors issue patches at regular intervals (e.g., monthly, as in the case of Microsoft) while others have more informal release schedules. Although not all vulnerabilities are equally severe, and many may not be easily exploitable, some create considerable risk. Vendors almost always prioritize remediating high-severity vulnerabilities and—in extreme cases—may even issue patches outside of the normal release cadence. The cyclical nature of vulnerability discovery and the inevitable patch gap makes vulnerability management an ongoing operational concern for organizations, as well as a significant part of larger cybersecurity initiatives like attack surface management (and reduction) and cyber resilience.
What is the Patch Gap?
Broadly, the Patch Gap refers to the time between the discovery of a vulnerability and the time that vulnerability is remediated (usually by installation of a patch, but sometimes with other measures like configuration changes). More practically, the Patch Gap is composed of three discrete periods:
- The time between vulnerability discovery and disclosure to the affected vendor – This period corresponds to the definition of “zero day” and it marks the beginning of exposure to exploitation—which can range from very high to vanishingly low—since the details of the vulnerability are known only to the researcher, who may be an adversary. Depending on a variety of factors, this period can span days, weeks, months, or even years.
- The time between disclosure to the vendor and the development and release of a patch – During this period, the vulnerability becomes an “N-day”. According to some estimates, it takes vendors an average of 9 – 15 days to develop a patch (although the actual release may take longer and, though it currently averages a little over 50 days, it is still somewhat unpredictable). It is also during this period that exposure to exploitation spikes since adversaries have new information to help jumpstart exploit development.
- The time between the release of a patch and its installation on all affected systems – Once patch rollout begins, exposure to exploitation begins to taper, although the rate at which it does also depends on many different factors and will also vary between organizations.
The impact of patching on IT and cyber security teams
In addition to the increased risk organizations experience throughout the patch gap, there is also an opportunity cost for IT teams. Because they must focus on tasks like compatibility testing and getting software updates installed (especially when the urgency is high due to in-the-wild exploits), they are—by definition—unable to focus on other initiatives.
But even that effort may not provide the level of attack surface reduction that organizations expect. According to analysis by Google, 50% of zero days exploited in the first six months of 2022 were “variants of previously patched vulnerabilities” meaning that the patch(es) did not completely remediate underlying vulnerabilities.
Stopping cyber attacks during the patch gap
Seraphic Security prevents zero day and unpatched N-day browser exploits with a unique approach to virtual patching. This affords organizations an unprecedented level of protection, buying precious time and enabling more efficient allocation of resources during periods of uncertainty and high risk. To learn more about how we stop attacks that others cannot, schedule a demo or visit our Product page.