For security teams, managing vulnerabilities is a necessary task. Everyone in IT knows how critical patches are to prevent breaches, and we have days every month devoted to the latest slew of updates from major vendors. We can set our calendars by them.
Yet patching well is still hard for many enterprise IT teams, and there are still problems to overcome in practice.
The first problem in patch management is not any individual patch but the volume of issues that now come through. Looking at CVE software vulnerability release data, there were 18,325 issues made public in 2020, while 2021 has already seen 14,525 in nine months. Each of these updates will vary in severity, distribution and within company IT asset inventory.
While some patches cover issues in very niche products, others will be widespread and have a global impact. However, you can’t be sure that everything is up to date and secure without a complete and accurate list of IT assets and inventory to show which patches are needed and which ones have to be deployed. Your patching strategy is only effective if you have complete visibility; otherwise, you can’t prioritize when it matters.
To solve this, look at how you record your asset inventory and ensure it covers every IT asset, from desktops and mobile phones to cloud implementations, containerized applications, and other devices connected to the Internet of Things or operational technology networks. Anything that can be connected to your network, or that is used by an employee for work, should be on that list. Once you have this, these assets and patches can then be prioritized accordingly.
The second issue to look at is the patching process itself. While your security team may do a great job of notifying the business when patches are needed, they will not carry out the patching themselves. This will be delegated to another team or individual, and it is up to them to promptly put the patch in place.
“Your patching strategy is only effective if you have complete visibility; otherwise, you can’t prioritize when it matters”
If you don’t have insight into their patching process, then make that a priority. This will help you see where efforts are placed and understand the KPIs or SLAs to which they work. If those SLAs are the issue — for example, they are measured on the uptime of assets, and patching puts a dent in that — then work with them to change the SLA.
The third problem that commonly affects organizations around patching is when the team responsible for managing those assets is outsourced. Outsourcers work to a specific contract, and they can be doing the job they were brought in to do, even though it leaves potential gaps in security. Those companies will have their own change management processes for patches to go through and their own metrics and SLAs in place. A contract with inadequate service definitions can increase risk, while poorly configured change management can lead to excess time spent on approvals rather than getting patches out and applied.
This is another case where getting security involved early in the procurement process can save time and reduce risk overall. By understanding how these outsourced teams will operate — and how their success will be measured — you can work with them more effectively. If possible, you can also ensure that their scope of work is correct and that their SLAs are designed to promote efficient patching.
Automating the patch process where possible is another good way to streamline things. Rather than relying on manual work, automation can split out patches based on their severity, priority, product and deployment time. For simple issues in non-critical applications or where patches are trusted, such as applications like iTunes or Google Chrome, these can be automatically applied. More critical patches that need testing can be carried out and then automatically implemented across systems. Similarly, issues that have exploits or ransomware attacks against them can be prioritized and automation used to ensure patches are in place as soon as possible.
Patching is essential, but yet more patches will be due each month, and extra releases will threaten security. Good processes and effective metrics can make patching more effective to reduce risk, improve security and make life easier for everyone. To improve this, look at creating a patching cycle that continuously updates your inventory, manages priorities and delivers updates, rather than dealing with each one at a time.
Paul Baird Chief technical security officer, Qualys
