How to Transform Patch Management Without Rip and Replace
Patch management can be among the most cumbersome activities on a security practitioner’s list. But it’s also one of the most critical. The big question is how to address patching without needing constant manual work – and without overhauling existing network architecture. In a recent webinar, Eran Livne (Senior Director of Product Management for Endpoint Remediation at Qualys) and Jeremy Herzog (Director of Security Design and Integration at Nuspire) answered that question and more. Read on to get their insights.
A backgrounder on the vulnerability landscape
According to a Qualys study, 25,000 new vulnerabilities were added to the threat landscape in 2022.
“What’s interesting about this data is that only about 8,000 of those 25,000 vulnerabilities were exploited,” said Eran. “Even more interesting is that only 159 of those spurred the creation of malicious code that could be weaponized for use by threat actors.”
According to Eran, this data shows the importance of prioritization when it comes to patching because not all vulnerabilities will rise to the level of causing damage to your organization. Prioritization is critical when you consider a Ponemon study that found 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch, and 34% of those victims knew of the vulnerability but hadn’t taken action.
Top vulnerabilities and threat response
According to Qualys’ research, it takes 19.5 days for a vulnerability to weaponize; however, these threats don’t get remediated for 30 days, leaving approximately 11 days for threat actors to exploit the vulnerability.
The top weaponized vulnerabilities were Microsoft Windows and Google Chrome, which are common and easy to patch. But threat actors are also diversifying from these common vulnerabilities. One example is initial access brokers (IABs). IABs exploit vulnerabilities by creating a tunnel into the target environment, then selling that access to other threat actors. Those threat actors can then leverage their own attack methods depending on their goals.
According to Eran, IABs are more complicated to patch than Microsoft and Chrome vulnerabilities and, on average, take a staggering 28 extra days to remediate.
Automation boosts patch management success
Automation is essential in addressing the volume of patches organizations face today. In fact, when automation is used, organizations see an 89.5% improvement in patching rates and a 43% improvement in the mean time to remediation (MTTR) speed.
Eran advises starting with low-hanging fruit, such as Microsoft, Adobe, Apple, Google, Firefox and other vulnerabilities that are relatively easy to patch (and don’t risk causing significant business disruption when implementing a code change).
“It’s about taking a smart automation approach,” said Eran. “Automate where there’s the most risk from a security perspective and where it makes sense from an operational perspective.”
And according to Eran, adding automation doesn’t require “rip and replace,” but instead, it’s complementary to whatever an organization already has in place. Once the automation is in place, it can dramatically affect an organization’s ability to patch effectively. So much so, an exploitation opportunity can often be removed entirely before it can even be weaponized.
Risks of manual patching
Many organizations still use a completely manual approach to patching, which can make it next to impossible to patch every vulnerability coming their way. As evidenced in the Ponemon study, a large percentage of breaches could’ve been prevented by an available patch – and while we don’t know the specifics of those breaches, we can surmise it probably had to do with the following challenges that come with manual patching:
- Human error – Humans can miss patches or forget to implement them.
- Volume – The number of patches released by vendors can be nearly impossible to keep up with
- Time – Patching is time-intensive, requiring monitoring the threat landscape and testing and deploying patches. Companies struggle with patching fast enough (the average time to patch is 102 days, according to Ponemon).
How a service provider tackles patching
Given the challenges that accompany patch management, organizations often opt to get third-party help from managed security service providers (MSSPs). Jeremy provided his perspective on what that process looks like.
“To get the most bang for your buck when it comes to your patch management program and leveraging a third party to help, the key is identifying areas that will have the biggest impact on improving your patch management program,” Jeremy said.
Jeremy outlined the four-step process:
1. Technical data gathering
The first step Jeremy takes when working with clients is to conduct a thorough asset inventory, where he catalogs an organization’s software and researches where vulnerabilities exist. This is also where service providers can help with automation. They can identify the applications that make the most sense to automate, those with the most security risk and the least business risk in terms of disruption.
“People use service providers because they’re able to provide a tested patch management structure and process,” Jeremy said.
2. Build, test and deploy
In this step, the service provider deploys vulnerability management and patching agents, conducts an initial review, prioritizes top security patches, and configures first-priority patches.
“This is all about marrying vulnerability data with vulnerability fixes,” said Jeremy. “A service provider can do all this for the client, simplifying the process significantly.”
3. Test and turn-up
During this step, the service provider reviews the schedule and cadence for patching windows, finalizes the cadence and schedule for patching delivery, Reviews and monitors patching and scheduled times for failures and items that need action, and creates business processes around patch management.
4. Steady-state
This is the goal of every service provider engagement, where the client has established a regular cadence where patches are implemented inside the change control window. It also includes a periodic review of patch status in concert with a review of vulnerability data, as well as action plans to remedy any issues identified.
