The complexities of vulnerability remediation and proactive patching
In this interview with Help Net Security, Eran Livne, Director, Product Management, Endpoint Remediation at Qualys, discusses vulnerability remediation complexity, the challenges related to proactive patching, as well as Qualys Patch Management.
What makes vulnerability remediation a complex task?
Most vulnerability remediation involves multiple teams and processes – first, a scanning tool identifies vulnerabilities, and then they are passed to the patching team for remediation. This is a pain point for organizations and leads to extra resources, costs and longer exposure times. A lack of alignment between vulnerability and patch processes and the manual efforts required for vulnerability remediation are among the key causes of delayed patching.
A vulnerability does not always equal a patch. Many vulnerability fixes do not require a patch at all, or sometimes may require a patch alongside a configuration change. In short, researching and understanding what is required to remediate for each unique vulnerability is a time-consuming task – time that could be used to remediate more vulnerabilities.
Once vulnerabilities are mapped to necessary actions, applying the remediation techniques to assets – in most cases – is not difficult. However, many organizations fail to complete this step quickly and efficiently. Why? Remediation is complex. A “fix” can be deemed simple, yet any change in an environment introduces operational risk. This simple change could, for example, break an application that a CEO is using on their laptop, or even break a web service that is used to authorize million-dollar transactions.
Traditional tools that focus on patch management can also complicate the remediation process. Those tools focus mostly on software updates (i.e., patches) for a specific OS and are operated in silos by different IT teams. This makes remediation of the various vulnerabilities across different OSes challenging. Additionally, most of those tools were built for on-premises usage complicating things significantly when employees are roaming or working from home.
Proactive patching can greatly improve cybersecurity posture, yet it’s not often simple. What can organizations do in order to become more efficient in this area?
Each organization has its own tolerance for security and operational risk. Where organizations get into trouble is when they simultaneously have a low tolerance for both. Understanding how to realistically balance security and operational risk is key – e.g., the more an organization leans towards minimizing security risk, the more the organization should accept the operational risk and vice versa.
To balance security and operational risk, organizations must focus on the “right things” – like allowing for proactive remediation while still attempting to build efficient workflows that minimize the operational risk of remediation.
Organizations should continuously be asking themselves what the “right things” to remediate proactively are as no two companies are the same. There are a few complementary methods that organizations can utilize to create effective remediation practices.
One method is to analyze the vulnerability exposure and use the data to predict which products will remediate most of the vulnerabilities if patched regularly. This allows IT and security teams to focus on the right third-party software to patch, alongside the obvious remediation of vulnerabilities released on Patch Tuesdays. Automating the patching of the “right” third-party products will help reduce the time invested in remediation and decrease SLAs.
Another method is to define security risk tolerance based on real-time threat indicators (RTIs). This will allow security teams to define policies that will require immediate remediation of vulnerabilities being actively used in attacks – e.g., vulnerabilities that are leveraged for ransomware attacks. This approach ensures that organizations can proactively react to new, high-risk vulnerabilities and remediate them before bad actors leverage them.
Lastly, organizations need to target the correct assets. Mission-critical servers need to be treated differently than, say, end users. A much more mature and forceful security strategy can be built when this takes place. For example, it may be more critical to keep a production system online than giving an end user access to their server for a day.
Qualys recently introduced zero-touch patching capabilities into Qualys Patch Management. What does that mean for customers?
Qualys Patch management is the remediation arm of Qualys VMDR (Vulnerability Management, Detection and Response), and customers use this capability to streamline the remediation of vulnerabilities detected in their environment. Qualys Patch Management is designed to help IT and security teams create proactive and reactive patch management workflows.
Qualys Patch Management leverages the Qualys Cloud Platform and Cloud Agents to help IT and security teams quickly and efficiently remediate vulnerabilities and patch systems. The new intelligent automation features allow for the prioritization of vulnerabilities based on threat indicators such as ransomware, matching of prioritized vulnerabilities with known patches, and a zero-touch “set and forget” feature to proactively patch devices and applications per predefined policies – leading to increased productivity. For example, an organization can create a policy to keep Adobe Reader software always patched on all employee laptops.
How does Qualys Patch Management help security teams streamline their workflows?
Zero-Touch Patch is designed to help Qualys customers find the “right things” to focus on when patching. This capability automates the patching process and simultaneously creates workflows that minimize operational risk.
Zero-Touch Patch streamlines the workflow associated with threats by intelligently identifying and automatically deploying the proper patches and configuration changes required for remediating vulnerabilities. Next, it leverages Qualys VMDR (Vulnerability Management, Detection and Response) to prioritize them based on real-time threat indicators such as ransomware, active attacks, exploitability or lateral movement to help organizations reduce cyber risk.
One example is that by mapping between vulnerabilities detected and products used in the customer’s environment, customers may find that iTunes is installed on many devices – and introduced more vulnerabilities to the environment than other third-party applications. This will indicate that iTunes introduces a high security risk to the environment. As patching iTunes typically does not introduce a high operational risk, Qualys can recommend the customer focus on proactively patching iTunes and guide the customer in creating an automation job that will ensure iTunes is always up to date.
The solution also streamlines the application of patches for compliance through automation to help security teams align with regulatory and internal security policies. Leveraging Qualys vulnerability data and corresponding RTIs, organizations can create zero-touch patch jobs that automatically apply relevant patches when a new vulnerability with a specific risk is discovered on an asset. In addition, the quick application of low operational risk patches also reduces the overall time to remediation improving vulnerability SLAs.
Finally, Qualys makes sure that endpoints are quickly and consistently patched, via the cloud, without the need for manual intervention and regardless of their location or connection to a corporate network reducing the cost of securing a prominent vector of attack. Eliminating the need to go over VPN for patching can save time and significantly reduce costs.