Updating systems on a regular basis is one of the best lines of defense against cyberattacks, but many companies are still struggling to effectively do patch management.
According to a study conducted by ServiceNow and the Ponemon Institute, of the nearly half of respondents who had a data breach in the past two years, 60% believe that those breaches could have been the result of a system with a known vulnerability not having been patched. In addition, 62% weren’t aware prior to the breach that their organizations were even vulnerable.
Even for major vulnerabilities, like EternalBlue, which is the exploit behind the WannaCry ransomware, companies haven’t applied the fix in a timely manner — if at all. A report from security company Armis found that 30% of all ransomware attacks use WannaCry, and 145,000 devices are still affected.
“The notion of patching has been around for a long time and one would think we have solved this problem, or at least feel like we did. Yet this problem remains at the heart of so many breaches and security events,” said Brandon Hoffman, CISO and head of security strategy at operations intelligence platform provider Netenrich.
It’s critical to keep your open-source components up to date and secure
What organizations need to know about IT security risk management
Report: IT security is becoming too complex to manage
There are a number of challenges that companies face when it comes to staying on top of patches, but they aren’t impossible to overcome.
One major challenge is that keeping systems up-to-date requires cooperation from a number of different teams. According to Barbara Kay, senior director of security and risk at ServiceNow, security and operations teams must work together to prioritize vulnerabilities and identify fixes for them. The patching lead within IT also has to consult with asset owners to agree when and what to patch. And after a patch, security teams need to reconnect with IT teams to confirm that a vulnerability has been patched so that they can close out their incidents.
Kay explained that this back and forth often takes place across email, Slack, and spreadsheets. A more effective way of doing this would be to replace those channels with automated workflows, she said.
Brad Pollard, CIO of vulnerability management solution provider Tenable, agreed that a partnership between operations and security teams should be the first step in creating an effective patch management program. “Constant communication with regard to asset inventory, assessment results and definitive action to remediate the most severe vulnerabilities is essential,” he said.
Pollard recommends operations teams set up SLAs for vulnerability management, while security teams set up escalation paths for instances where those SLAs are not met. Beyond that, companies should have an issue-tracking system that helps determine what needs to be done and the status of those actions.
A major challenge that companies face when trying to stay on top of patches is that they don’t have a good understanding of what machines they actually have. This problem has only gotten more difficult to solve as companies shift to remote work, Ken Galvin, senior product manager for Unified Endpoint Management at Quest Software, explained.
Even if a company has a complete picture of their assets, they might not have a complete picture of what exactly is vulnerable. “Many companies don’t have the tools they need to adequately understand their exposure. These companies lack configuration and vulnerability management capabilities necessary to keep systems patched,” said Pollard.
According to Galvin, most successful attacks use known vulnerabilities that have already been patched by the software vendors. “This means that most successful attacks, such as WannaCry, can be stopped just by knowing what’s out there and making sure it’s patched,” he said.
Organizations need to stay on top of their assets and always have an up-to-date infrastructure and application map, said Kay. This involves doing regular assessment of both assets and vulnerabilities. Kay cautions against relying on a batch scan only once a month.
Once a company has regular assessments and has a clear picture of what assets and vulnerabilities they’re working with, they can define specific maintenance windows for applying patches to servers, as well as set up policies and enforcement rules for endpoints, Pollard said.
Galvin added: “For complete asset and device management, organizations should be identifying patches and firmware updates, and integrating with their current system architecture. To ensure everything is up to date, be sure to integrate vulnerability and patch scanning practices with accurate and flexible discovery methods and asset management protocols. If you don’t know what devices you have accessing the network, you cannot manage them.”
Vulnerability Overload and Prioritization
Pollard also added that companies often struggle with “vulnerability overload.” There might be hundreds or thousands of vulnerabilities present in an environment, and IT and security teams might not have actionable insight into which ones pose the most risk to the business. “As a result, traditional vulnerability management becomes a guessing game,” said Pollard.
According to Netenrich’s Hoffman, there are a number of considerations for assessing risks: possible exposure of a system, downtime, ability for an attacker to abuse a vulnerability, and popularity of a vulnerability.
“This context can all be assembled, correlated, and scored by a machine, making it painless, fast, and accurate. When the next Patch Tuesday or zero-day comes out, you can quickly factor severity against internal context so you know what needs to happen urgently, and what can wait,” said Kay.
Lack of tooling
Finally, another issue is that companies might lack the policies, procedures, and tools needed to actually patch these systems, Pollard explained. A company might have a range of assets, from laptops to mobile devices to servers, to IaaS assets, and each of these assets require specialized tooling for patching, he added.
Pollard said that getting the necessary tools requires buy-in and support from upper-level management. “The most critical aspects for companies to successfully keep vulnerable systems patched are awareness and culture,” he said. “An executive understanding that keeping systems up-to-date is a priority, and essential in keeping the technology environment secure. Without support from the very top, IT and security practitioners have a difficult time in both securing the tools needed to perform the required tasks, and in being able to enforce patching policies and necessary maintenance windows.”