These days, it rarely takes more than a couple of hours from the discovery of an operating system or application vulnerability for an exploit to emerge. Unsurprisingly, many organizations—both large and small—are struggling to keep up with the seemingly never-ending stream of new patches and updates they must install to stay safe.
Those who fail to keep their systems and applications up to date can face severe consequences as unpatched organizations are gold mines for profit-seeking hackers. According to a ServiceNow study conducted by the Ponemon Institute, 57 percent of cyberattack victims reported that their breaches could have been prevented by installing an available patch. What’s perhaps even more alarming is the fact that 34 percent were already aware of the vulnerability before they were attacked.
In other words, one third of all organizations know about unpatched vulnerabilities but are unable to act in a timely manner because of poor patch management. That’s simply unacceptable in the era of pre-packaged exploit services, and the only effective solution is the implementation of a streamlined patch management process.
Understanding the Patch Gap
The Ponemon Institute estimates that the average time to patch is 102 days. Yes, it takes the average organization well over three months to patch vulnerable systems. It’s not that IT teams don’t understand how critically important it is to patch vulnerabilities in a timely manner—far from it. The real reason why the patch gap is so massive is the fact that 37 percent of organizations don’t pro-actively scan their networks and systems to see what needs to be fixed.
To make things worse, there is a global shortage of IT talent, and organizations may not be able to find qualified personnel as quickly as they would like. According to the ServiceNow study, 64 percent of security professionals are trying to hire dedicated resources for patching over the next 12 months, but nobody knows how many of them will succeed.
Bridging the Patch Gap
Even though so many organizations don’t have direct access to as many talented IT professionals as they would like, they can still significantly strengthen their cybersecurity posture by implementing an effective patch approval and management process.
In fact, Gartner estimates that patching will be the single most impactful enterprise activity to improve security in coming years. “Counting attacks is fruitless. Taking action based on trends and vulnerabilities is the best step. As the monetization of exploits and security grows, patching, detection and vulnerability management are ideal ways for security and risk management leaders to face a ransomware-dominated landscape,” states Gartner.
The entire patch approval and management process can be broken down into three stages—discovery, patch testing, and patch roll-out—with each state being as important as the last one.
As we’ve already explained, 37 percent of organizations don’t pro-actively scan their networks and systems for vulnerabilities. However, before an organization can start monitoring for new patches and vulnerabilities, it must first create a comprehensive network inventory to have a good understanding of its infrastructure.
Especially large organizations sometimes lose track of their systems, forgetting to patch them for months and years. There are many tools that can help both with vulnerability monitoring as well as the creation of a comprehensive network inventory, and they can significantly reduce the burden patching places on the IT department.
“You don’t patch systems immediately,” explains Greg White, director of the Center for Infrastructure Assurance and Security at the University of Texas San Antonio. “You test a patch to see if systems act adversely with it. If that happens, you have a critical piece of software that no longer works.”
The sad truth is that even though patches are intended to fix or improve things, they sometimes make them worse. Patch testing is an especially important component of an effective patch management process because it helps organizations avoid being caught off guard by unexpected issues. In practice, patch testing involves the creation of a testing environment or at least a testing segment, and it’s one of those activities that are guaranteed to quickly pay for themselves.
Each and every patch roll-out should follow previously established patch management policies, which specify what will be patched, when, and under what conditions. Not all patches are created equal, and it only makes sense to assign a critical kernel vulnerability a much higher priority than a cosmetic bug discovered in some miscellaneous piece of software used by just one department.
It’s always a good idea to conduct a detailed patch management audit after every patch roll-out. A patch management audit provides the information an organization needs to further fine-tune its patch management process.
Knowing which patches to approve and being able to implement them before hackers manage to exploit the unpatched vulnerabilities is essential for all organizations that can’t afford to risk prolonged downtime and the loss of revenue associated with it. An effective patch approval and management process should be a key component of modern cybersecurity programs, and we’ve outlined it in this article. For more information about monitoring patch vulnerabilities, consider contacting an MSSP.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond