Patch Tuesday is great, isn’t it? The biggest software giants, including Microsoft, Adobe, and Oracle, release patches and updates to their products so users are protected from the latest vulnerabilities, tracked with a CVE number, for the information security community. Install them and you’re good to go, right? Unfortunately, it’s not that easy anymore in today’s environment.
As demonstrated recently with the Log4j zero-day vulnerability, dubbed “Log4Shell” when it was publicly disclosed in December 2021, a comprehensive vulnerability management strategy run by qualified security professionals is now table-stakes for the security program. Without it, by default, a company accepts the risk of a preventable breach that could have been avoided had the vulnerability been patched.
However, the fact is that hiring the right cybersecurity staff to manage timely and correct patching is nearly impossible right now. With zero percent unemployment and the on-going cybersecurity skill gap, companies are unable to hire the qualified personnel with specialized skill sets needed to perform the associated tasks properly. And unfortunately, businesses around the world are currently faced with an industry climate that’s making the recruitment and retention of cybersecurity talent harder than ever.
Why Patch Management Is More Critical Now Than Ever Before
As soon as any CVE or zero-day vulnerability with Proof of Concept (POC) is publicly released – as was the case with Log4j – threat actors start scanning the internet to prey upon vulnerable organizations. Proper patch management closes that window of exposure between when the CVE is made public and when the organization is able to successfully patch the vulnerability and remediate any impacted assets that may have been exposed.
That’s all well and good, except for the fact that establishing and managing an effective vulnerability management program is easier said than done. In a recent survey, 71% of security professionals responded that patching was complex and time-consuming1. Organizations are faced with a long, daunting list of challenges and considerations that must be addressed first. The right technology needs to be implemented, solutions must be able to scale as infrastructure grows, and security risks must be identified and continuously managed. These activities need to happen all while the business maintains focus on core revenue-generating activities.
Patching Pains
Having a shortage of security expertise will obviously have a negative impact on security. However, there are critical areas that present more risk than others. Given the fact that a whopping 85% of successful exploits were carried out on unpatched machines2, a focus on vulnerabilities and patch management needs to be a high priority. Unfortunately for businesses, patching has been getting more and more difficult alongside a shrinking talent pool and increasing attacks on vulnerabilities.
Security teams need to be proactive in finding and applying patches. Inventory tracking has thus become critical for keeping up-to-date with security updates, especially with mixed-OS environments and machines running various versions of software. It’s easy to lose track of it all, and teams can quickly become overwhelmed and fall behind, especially when manual processes and legacy systems are involved.
Expanding Attack Surfaces
Attack surfaces present another challenge. Areas of exposure are reaching into the cloud and beyond, along-side an increasingly remote workforce that’s emerged as a byproduct of COVID-19. Patches need to be installed over a variety of network configurations and authentication schemes, instead of simply over the company LAN like in the past.
Because systems are now more complex, there are also a greater number of dependencies back and forth between applications, servers, DevOps, and other elements. Therefore, disruptions created by patching have the potential to be quite severe. There can be internal resistance to a particular service going offline (especially if it’s revenue-generating) or the fear of potential business impacts if something goes wrong.
Technical Intricacies of Patch Management
Patching itself has also become more challenging. There’s often a lack of understanding when it comes to vulnerabilities and updates. Prioritization can be difficult, since an security staff must be able to quickly answer the following questions when a PoC or vulnerability notification is published:
- How does the Vulnerability work?
- How difficult is the Vulnerability to exploit?
- What are the Discoverable Assets and their importance?
- What are the Configuration details?
- What is the possible damage that can result from exploitation?
The patch also needs to be reliable, which is where compatibility issues come into play. Staff needs to know how systems, applications, and dependencies all interact with each other, and ideally have both the time and experience to perform proper compatibility testing.
Other environment-specific factors can come into play, as well. There can be bandwidth limitations, complications related to the manageability of system architecture, and scaling problems – all coming with the risk of length remediation times if something goes wrong.
Security Compliance Pressures
In the last two decades both governments and industry-specific organizations have made data security a priority when it comes to legislation and regulations. No longer is security something that’s just “nice to have.” It has become a requirement that’s strictly enforced, with non-compliance punishable by fines and other penalties. There’s even more regulatory scrutiny in the wake of Log4j, with the Federal Trade Commission warning companies that legal action will be pursued if Lo4j and similar vulnerabilities aren’t remediated5. This edict reinforces how fast compliance requirements can change following a zero-day.
Patching and Staffing: Building a Team or Outsourcing
When it comes to solving patch and vulnerability management problems, having the right team in place is vital. Unfortunately, though, there’s no one-size-fits-all answer. So, how should an organization go about building a team? Use the following process to find the best solution for an organization.
Building the Vulnerability Management Team In-House
When it comes to a DIY approach to patch management, it’s critical to hire experienced staff. After all, they’ll be handling everything from initial installation to the day-to-day operations to any ongoing maintenance or scaling. And those skillsets won’t come cheap.
By having a thorough understanding of cybersecurity roles across the organization, companies have a better method to identify and recruit new talent, as well as training and developing existing employees. It’s a win-win for everyone: the in-house team feels that they are on a long-term career path rather than in “just another job,” and the company will have a much higher retention rate.
Outsourcing Vulnerability Management with Managed Detection and Response
More and more enterprises are taking advantage of MSSPs and next-generation Managed Detection and Response services these days, which isn’t surprising given how much has changed in recent years. Managed security services provide a practical and effective solution to the security challenges that businesses are facing. Security leaders can ask qualifying questions to understand how MSSPs and MDR companies are not the same. Vulnerability Management services with an MDR provider can provide a seamless opportunity for improved patch management.
With MDR and vulnerability management bundled together, the in-house team is relieved of the tasks associated with daily patch management, security hardening, and threat hunting. The in-house security team can then focus on overall security governance, including prioritizing which vulnerabilities are most critical to the organization. Prioritization is instant, thanks to automation, and results are more accurate because business context and asset importance are considered. Outcomes are seamless, as security patches get applied right away with hands-on assistance and expert guidance. At the same time, threat detection and response activities are initiated, and conducted on-going 24/7, to ensure no known threats have gained a foothold in the network. Experts work in tandem to feed threat intelligence into IoC watchlists, add detection rules for automated playbooks and updated runbooks, while on-going patch updates are applied.
Save on IT Security Staffing and Efficiently Minimize Risk
As noted earlier, using a vulnerability management service, in particular when bundled with a recognized MDR service, helps save money when it comes to staffing. Hiring a junior engineer instead of an in-demand security expert that’s both hard to find and prohibitively expensive sounds great in theory, until that junior engineer misses a critical security patch due to inexperience. Another alternative to the fully outsourced model is to hire a junior engineer who has that managed security service on-call, ready to provide guidance when patching is needed.
Regardless of the outsourcing model, when a critical zero-day has the business on the line, companies need experienced personnel to correctly patch systems fast.
Visit Deepwatch Labs: Threat Reports on the Vulnerabilities You Need to Know
When the next zero-day hits, visit Deepwatch Labs for the full details and recommendations from the Deepwatch Threat Intel team on what you need to do to patch fast. Bookmark Deepwatch Labs – and when you are ready to discuss Deepwatch’s full Vulnerability Management services, with operationalized Threat Intelligence and analytics, contact us today to connect with one of our VM experts and discuss your requirements for solution design.
Sources
- https://www.darkreading.com/vulnerabilities-threats/71-of-security-pros-find-patching-to-be-complex-and-time-consuming-ivanti-study-confirms
- https://www.cisa.gov/uscert/ncas/alerts/TA15-119A
- https://www.riskbasedsecurity.com/2022/02/14/vulnerability-report-2021-year-end/
- https://www.ibm.com/downloads/cas/OJDVQGRY
- https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability
Share