IT teams appreciate it when vendors or security researchers discover new vulnerabilities and develop patches for them. So do attackers. The same information that lets IT teams know where they may be vulnerable so they can take action, also lets attackers know where the weaknesses are – providing an opportunity and a map to guide them so they can develop an exploit.
That means that once a vulnerability is disclosed, the clock starts ticking and it becomes a race for organizations to patch or mitigate vulnerable systems before they can be compromised.
While zero day attacks capture media attention with exciting headlines, the reality is that most attacks target known vulnerabilities for which patches or updates exist. According to the 2019 Verizon Data Breach Investigations Report, the average IT team patches fewer than 40% of affected systems within 30 days of discovering a vulnerability. However, cybercriminals can often develop an exploit for a publicly disclosed vulnerability within a matter of weeks or even days.
The gap between a working exploit being developed and the necessary patch being applied is a period of heightened—and avoidable – exposure to risk. One of the primary problems is that there is a disconnect between the priorities of IT and security teams. Where security teams take a proactive approach, the IT teams responsible for implementing patches tend to take a more reactive approach, potentially hindering the patch management program overall.
Reactive patch management
IT teams are busy. Patching vulnerable systems and applications is just one part of a very long list of tasks the IT team is responsible for. Everything is important on some level and it all needs to get done, so it’s understandable that patching may not always be the highest priority.
The problem is that if everything is a priority, then nothing is. Frequently, IT teams find themselves in a vicious cycle of constantly putting out fires – running from urgent issue to urgent issue because they never make the time to approach the situation proactively.
Risk assessment and context
The reality is that not every vulnerability is urgent – and that even the urgent ones aren’t necessarily a top priority for every vulnerable system or application. You need to have the right context to understand your exposure to risk.
You might have 100 systems affected by a vulnerability rated as “Critical”. If 84 of those systems don’t contain sensitive data and are not directly connected to other vulnerable or sensitive systems, they aren’t a top priority. Of the remaining 16, if 5 of those are systems that are public facing and you have other mitigating security controls in place, they also don’t need to be a top priority. The remaining 11 – the ones that are vulnerable, contain sensitive data or critical business functions, and are connected to the public internet – are the systems you should focus on first.
11 is a much more manageable number than 100. If you address just these 11 systems, though, you greatly reduce your attack surface and your exposure to risk. Having context enables you to prioritize effectively.
Proactive patch management
In an ideal world, all of your vulnerable systems would be patched, but in the real world you don’t have to patch every vulnerability right now. Proactive patch management is focused on protecting the systems and applications that are most important from a business perspective and reducing the overall attack surface.
You must at least be aware of the vulnerabilities in the first place, though. You need to have an accurate IT asset inventory and comprehensive visibility so you know where all of your systems and applications are, and what they’re connected to. Armed with that information, you can prioritize your efforts based on context and potential impact, and be proactive about patching and updating the systems that need it the most.