Brent McCarty is president of ESET.
Zero-day attacks may be headline grabbers, but cybersecurity researchers have long reported that unpatched known vulnerabilities are directly responsible for an even higher percentage of data breaches than unknown vulnerabilities. For example, the 2021 IBM X-Force Threat Intelligence Index reported that one-third of all data breaches resulted from unpatched vulnerabilities.
Known exploitable vulnerabilities are always among the top causes of cyber incidents because hackers actively scan for them. This drives a quicker, easier and more predictable attack vector versus developing zero-days. But when zero-day hacks emerge, or new high-risk vulnerabilities are disclosed, patching becomes an extremely high priority.
The recent MOVEit Transfer vulnerabilities, which enabled a ransomware group to exfiltrate data and extort money from hundreds of organizations before the vendor could even issue a fix, illustrates the urgency of being able to patch on demand or have the ability to quickly implement other mitigating steps if no patch is available.
Patch Management Challenges
Patch management is an aspect of vulnerability management that automates the deployment of vendor-issued patches to remediate security vulnerabilities and other bugs in software. It can be implemented on a regular schedule or upon triggering policies and procedures for newly identified vulnerabilities. Ad hoc patching can be prone to errors and omissions. In this way, teams can better verify that all recommended patches are applied correctly and that no endpoints are inadvertently left exposed—an extremely common issue.
Most organizations routinely scan their environments for vulnerabilities. But with over 23,000 new vulnerabilities identified in 2022 alone, backlogs and “patch fatigue” are commonplace, and patching activities should be prioritized according to organizational risk. In addition, patches often need to be tested in corporate environments for compatibility with existing solutions, both commercial and in-house applications.
Computing and/or network resource constraints can also impact an organization’s ability to successfully identify and combat threats. According to Ponemon, over 80% of security leaders admit delaying patches to reduce impacts on business operations.
The Importance Of Automation
These common challenges make integration, automation and flexibility across vulnerability and patch management essential for companies looking to improve cyber hygiene and IT efficiency. But many of today’s vulnerability and patch management solutions stop at the basics.
For companies looking to implement automated patch management, which features are most critical and why? These five top the list for businesses of all sizes.
1. Patching With Minimal Operational Impact
Many organizations need to factor the immediate demands of business operations into their patching schedules. Yet some vulnerabilities, like the recent Microsoft Outlook Elevation of Privilege Vulnerability, must be addressed on a wide scale immediately.
Teams need flexibility and control to simplify complex patching processes and dynamically balance competing demands. Being able to automatically prioritize the most critical updates and schedule the rest for off-peak times is a big productivity and potentially bottom-line boost.
2. Comprehensive Automated Patching Across Most Applications And Vulnerabilities
Patch management automation is only as good as the portfolio of third-party applications and common vulnerabilities and exposures (CVEs) a tool supports. Coverage for thousands of the most popular applications and most of the hundreds of thousands of numbered vulnerabilities is key to automating patching for both current and future applications.
This includes Microsoft Windows, Windows Server, Linux and macOS operating systems as well as Microsoft Office products, Adobe software, VMware tools, popular browsers, Zoom clients and other endpoint-based applications. Many patch management solutions support just a few hundred applications, which can complicate endpoint management with manual steps to patch unsupported systems.
3. Centralized Patch Management
A centralized, web-based management console for all patch management tasks can be essential for resource-limited IT teams. This can help quickly and easily assess vulnerabilities, monitor completion status, identify non-compliant systems and manage patching across a company’s entire IT infrastructure, ideally in concert with other endpoint management activities.
4. Vulnerability Filtering And Prioritization
Many companies have fallen victim to ongoing exploits that target years-old vulnerabilities because they can’t readily identify the systems that need patching. To efficiently align available patch management resources with company-specific risks, the ability to automatically filter, sort and prioritize vulnerabilities based on risk exposure score, severity and type is important. Being able to customize exception settings, such as scheduling lower priority patches during off-peak times, is also important in reducing manual effort, errors/omissions, unplanned application downtime and service level issues.
5. A Real-Time Patch Inventory
Knowing exactly what you’ve patched and when, what you’ve yet to patch, what you’ve decided not to patch and what you thought you patched but didn’t are all essential to patch management.
For example, you need the ability to register and track patching exceptions for specific applications, including patch name/number, associated CVEs, patch criticality, impacted applications, etc. An accurate real-time patch inventory lays the groundwork for compliance reporting, due diligence in incident response and planning and prioritizing your efforts as you bring backlogged patches up to date, coordinate patching around planned IT downtime or slow periods, etc.
Final Thoughts
Without robust patch management, data cannot be kept secure. But patching has historically been one of the most time-consuming tasks that IT admins face, and remote work and more cloud utilization make IT environments more diversified and harder to patch than ever.
For companies looking toward managed service providers (MSPs) and managed security service providers (MSSPs) to operationalize their patch management along with other core security and privacy needs, the five considerations above can help guide your search. This can help maximize risk reduction and business value for overworked IT teams while ensuring increasingly strict cyber insurance, regulatory, audit and market requirements are confidently met.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here