Cyberattacks are publicized much more frequently than the hard work security teams put in to stop them. 2017's WannaCry and 2022's Log4Shell were amplified by companies' failures to install readily available patches, causing highly destructive, expensive, and embarrassing consequences for victim organizations.
Most companies provide security patches upon detection of vulnerabilities, but they are not always timely or taken seriously. Patch management involves more than installing patches or code changes in the event of a breach; it's about keeping your finger on the pulse to stay alert to available patches, test them, and document the processes to ensure security, reliability, and compliance.
Whose Job Is It Anyway?
Only your security department can identify vulnerable software, prioritize updates, and deploy patches. While detection can come in the form of email alerts from the affected vendor or the in-house use of vulnerability scanners, the practice of patch management (including acquiring the patch, testing, and installation) falls in the hands of your IT team.
If the looming threat of data breaches isn't enough to convince you of the importance of patch management, the shadow of a lawsuit should be. Equifax succumbed to the FTC's enormous $700 million fine in 2019, with patch management failures listed on the score sheet. After noticing a vulnerability in its ACIS database, Equifax followed protocol and ordered a patch within 48 hours of detection. Unfortunately, the command slipped through the cracks. Equifax's security team failed to carry out the patch, putting the company under the FTC's spotlight and demonstrating the criticality of effective delegation and ownership.
Perhaps the people with "true" ownership over patch management are your legal department, albeit inadvertently. Although lawyers don't have the technical expertise to verify successful patch management, it's their mess to clean up if anything goes wrong. Cybersecurity regulation and litigation are more stringent than ever, and the changing face of compliance means that fines can peak at €20 million or 4% of annual global turnover (whichever is greater) for infringements in the EU. In the US, federal and state limits are rising ever higher. For example, the Department of Health and Human Services (HHS) dishes out HIPAA (Health Insurance Portability and Accountability Act) fines of up to $50,000 per violation.
Critical Limitations of Patch Management
Let's review the limitations of patch management and how you can, well, patch things over.
It's a universal fact that critical vulnerabilities must be addressed quickly, but that doesn't mean they carry equal weight. Cyber threats are never-ending; new exploits are discovered daily, and IT teams receive a torrent of time-consuming updates that affect workflows and cause alert fatigue.
It's impossible to sift through every notification manually, leading to a dissipation of responsibility (as we saw in the Equifax case) and a lack of clarity regarding prioritization. Automated patch management solutions can do the heavy lifting for you. Otherwise, to wade through the prioritization tasks, you can take a risk-based strategy based on the following categories:
■ Classification: What type of vulnerability is it?
■ Asset information: Identify all assets. For each, define who is responsible for it, its role in your organization, and its worth.
■ Severity: Using the Common Vulnerability Scoring System (CVSS) to rate the severity of the vulnerability from 1-10.
■ Exploitability: How likely is it that an attacker will exploit this vulnerability?
■ Impact: What consequences will this vulnerability have in terms of a data breach, financial loss, or system downtime?
2. The Cut-Off Point
You can't patch what you can't see, and this problem is two-fold for enterprises. Firstly, some legacy systems and software no longer receive vendor-supplied fixes. For example, as of January 2023, Microsoft stopped patching Windows 7, Windows 8 (and 8.1), and Windows Server 2008 R2, leaving the door wide open for security risks.
Secondly, enterprise patch management is a web of complexity. Amongst legacy devices (of which some will be patch-less), your employees will likely use a range of company-issued and personal devices to access workplace data, including modern PCs, smartphones, and IoT devices. Unfortunately, keeping tabs on them all is incredibly difficult, as is remote patching in the work-from-home era. IT teams are limited to chasing colleagues and encouraging them to hit the "restart PC" button. Moreover, the risk of service downtime triggers employees to ask for exceptions and ignore auto-updates.
For this reason, automated patch management solutions must limit disruption, address exemptions, and offer IT teams the necessary flexibility, such as accounting for time zones in the deployment schedule.
3. Zero-Day Vulnerabilities
The patch management playing field is known vulnerabilities, which means your organization remains open to zero-day attacks that have yet to be publicly disclosed. Even if you patch every known vulnerability promptly, you can't guarantee protection against zero-day exploits.
Establishing a zero trust framework is an effective strategy for addressing zero-day exploits, as it assumes the hacker already has access to your network. However, most patch management solutions don't enforce access management policies, so your best bet is to pair patch management with IAM to limit attackers' lateral movements.
Automate to Accelerate Patch Management
Ultimately, all roads point to end-to-end patch management automation as the most efficient and fast method of implementing patch management policies, determining patch windows, and applying fixes. When there are thousands of vulnerabilities to address daily, it's time to cut out the manual efforts.