Infosec expert viewpoint: Vulnerability patching

Vulnerability patching is one of the most useful and cost-effective methods to mitigate a plethora of security threats.

Here’s what infosec experts think about the challenges related to patching systems, and how they see vulnerability patching evolve in the near future. They also give advice to enterprises looking to deploy a solution that makes vulnerability patching easier.

Morey Haber, VP of Technology, Office of the CTO, BeyondTrust

Unpatched machines have various degrees of risk. The most severe could lead to bots and ransomware like the Mirai botnet and WannaCry ransomware. Vulnerability assessment and patch management programs can identify the missing patches and prioritize which ones should be applied first in order to mitigate the highest risk. Compared to other cybersecurity issues, patch management is a cornerstone of basic cyber security hygiene. Without good patch management, many other cybersecurity initiatives will just flat out fail because the basics are just not covered. This is evident from recent breaches like Equifax and Fedex.

The evolution of patch management in the next five years will follow the lead of Microsoft and Apple. Patches will be available on a periodical schedule, automatically install, be bundled in one distribution, and automatically include previous and/or cumulative releases. This will enable resources to automatically default “in” to automated patch management and require a conscience decision to opt “out” for technical, business, or certification reasons. In addition, patching will also be self-healing to ensure that applications do not back out patches or deny individual file updates that could lead to additional risk.

Any enterprise considering deploying a solution for patch management should consider the following parameters:

• Who bundles the patches? Are they patch management vendor supplied or do you need to “roll” your own?
• What is the SLA from the vendor for missing patch identification?
• What platforms does the vendor support and does it provide full coverage for your environment?
• What applications does the vendor support and does it provide full coverage for your environment?
• Does the solution detect missing, corrupt, or partial patch deployments?
• Does the solution allow for uninstall or rollback of patches in case of incompatibles or errors?
• Can the solution deploy firmware updates?
• Can you create custom packages for custom developed or homegrown applications?
• Do they support EOL operating systems like XP and 2003?

Phil Richards, CISO at Ivanti

Unpatched systems are right at the top of the most vulnerable, dangerous items in the IT environment. The way that hackers typically invade a company is through unpatched systems or a poorly constructed web site. The most difficult part of patching is that the IT organization has to find and patch all the systems, yet the hackers only have to find one system that got missed. Identifying systems that need patches is so important that one of the five most important controls that can be implemented at a company is an accurate system inventory. People get very concerned about connecting to a malicious website – and they are right to be vigilant.

The reason malicious websites work is because they contain software known as an exploit kit. This software performs a vulnerability scan of your computer, finds vulnerabilities (unpatched software usually) and runs the appropriate exploit to take control of the system. The most effective way to defeat this behavior is to make sure your system contains all up-to-date patches.

Over the next five years, patching cycles will get shorter. What we see as a monthly patch cycle from Microsoft may increase in frequency for emergency/security related patches. More vendors will adopt a monthly or more frequent cadence for patches. Enterprises should look for a system that deploys all patches, not just from some vendors, and they should look for a system that incorporates Asset Management into the patching process. Organizations should also look for a system that includes a healthy, rigorous asset discovery component, not just something that does a periodic ping scan of the network.

Mark Butler, CISO at Qualys

Compared to many other security issues, unpatched systems pose significantly more risk to organizations due to the easy access and exposure they provide attackers to take advantage of and compromise systems. The impacts of system compromise can result in significant brand impact via data loss, exposure of sensitive personal information, alteration or re-routing of financial transactions or exposure of intellectual property, as a few examples.

Typical patching challenges organizations of all sizes face include identification, validation, prioritization, preparation, testing, approvals, deployment and reporting, and traditional patching efforts have been manual or semi-automated based on the platform capabilities and the maturity of solutions available.

Patching capabilities are improving via multiple methods: security agents today are providing virtual patching or isolation based on dynamic threat intelligence or real-time system monitoring alerts, 3rd party system management platforms will group and deploy large scale patch candidates via a dedicated solution and native operating system platforms improve their ability to update real-time virtual system configurations without impacting core system availability.

Moving forward, we will see the exciting benefits of containers and virtualization in patching since we don’t patch containers, we update the docker file that creates the image that is deployed within a container. Also, configuration changes can be made across multiple container workloads without impacting any application or micro service availability. Any investments made in improving patching capabilities should revolve around; container integration, virtualization integration, high accuracy, full platform / device coverage, vulnerability solution integration, agent mitigation, remotely manageable, 3rd party software support, ability to reverse patching if issues are found, easy data sharing in / out of the solution, integration into ticketing workflows and detailed reporting to prove progress is being made over time.

Destiny Bertucci, Head Geek at SolarWinds

The dangers associated with unpatched machines revolve around the “holy trinity” of security: confidentiality, integrity, and availability (CIA). Breaches and issues within any of these three pillars can cost a business both monetarily and reputationally. Protecting a business’s reputation means aligning its security posture to support and protect the CIA. In fact, there are software solutions available that rollout patches to devices, so there are truly no excuses for significant security gaps in a security posture.

Over the next few years, IT leaders will likely increasingly seek software solutions and auto-updating practices; there are numerous software options (both proprietary and third-party) available that enable patching to be rolled out in mass quantities and levels. In the future, there will be more testing in lab scenarios, particularly within DevOps environments. Testing provides valuable insight into the baseline normal of a specific device’s health—allowing an IT administrator to spot anomalies—and verify installed software to avoid issues on a mass rollout.

Enterprises looking to deploy a solution that makes vulnerability patching easier should implement a solid patching plan, and invest in their overall security posture. Establishing a patching plan is vital to any business doing its due diligence to protect the CIA. Companies should also invest in end-user education, as they are only as good as their weakest employee. Since security best practices may not be common knowledge for all employees, it is of paramount importance to ensure that everyone on the network understands core IT security practices.