The Limits of Patch Management in Cybersecurity
November 21, 2023

Dotan Nahum
Check Point Software Technologies

Cyberattacks are publicized much more frequently than the hard work security teams put in to stop them. 2017's WannaCry and 2022's Log4Shell were amplified by companies' failures to install readily available patches, causing highly destructive, expensive, and embarrassing consequences for victim organizations.

Most companies provide security patches upon detection of vulnerabilities, but they are not always timely or taken seriously. Patch management involves more than installing patches or code changes in the event of a breach; it's about keeping your finger on the pulse to stay alert to available patches, test them, and document the processes to ensure security, reliability, and compliance.

Whose Job Is It Anyway?

Only your security department can identify vulnerable software, prioritize updates, and deploy patches. While detection can come in the form of email alerts from the affected vendor or the in-house use of vulnerability scanners, the practice of patch management (including acquiring the patch, testing, and installation) falls in the hands of your IT team.

If the looming threat of data breaches isn't enough to convince you of the importance of patch management, the shadow of a lawsuit should be. Equifax succumbed to the FTC's enormous $700 million fine in 2019, with patch management failures listed on the score sheet. After noticing a vulnerability in its ACIS database, Equifax followed protocol and ordered a patch within 48 hours of detection. Unfortunately, the command slipped through the cracks. Equifax's security team failed to carry out the patch, putting the company under the FTC's spotlight and demonstrating the criticality of effective delegation and ownership.

Perhaps the people with "true" ownership over patch management are your legal department, albeit inadvertently. Although lawyers don't have the technical expertise to verify successful patch management, it's their mess to clean up if anything goes wrong. Cybersecurity regulation and litigation are more stringent than ever, and the changing face of compliance means that fines can peak at €20 million or 4% of annual global turnover (whichever is greater) for infringements in the EU. In the US, federal and state limits are rising ever higher. For example, the Department of Health and Human Services (HHS) dishes out HIPAA (Health Insurance Portability and Accountability Act) fines of up to $50,000 per violation.

Critical Limitations of Patch Management

Let's review the limitations of patch management and how you can, well, patch things over.

1. Prioritization

It's a universal fact that critical vulnerabilities must be addressed quickly, but that doesn't mean they carry equal weight. Cyber threats are never-ending; new exploits are discovered daily, and IT teams receive a torrent of time-consuming updates that affect workflows and cause alert fatigue.

It's impossible to sift through every notification manually, leading to a dissipation of responsibility (as we saw in the Equifax case) and a lack of clarity regarding prioritization. Automated patch management solutions can do the heavy lifting for you. Otherwise, to wade through the prioritization tasks, you can take a risk-based strategy based on the following categories:

Classification: What type of vulnerability is it?

Asset information: Identify all assets. For each, define who is responsible for it, its role in your organization, and its worth.

Severity: Using the Common Vulnerability Scoring System (CVSS) to rate the severity of the vulnerability from 1-10.

Exploitability: How likely is it that an attacker will exploit this vulnerability?

Impact: What consequences will this vulnerability have in terms of a data breach, financial loss, or system downtime?

2. The Cut-Off Point

You can't patch what you can't see, and this problem is two-fold for enterprises. Firstly, some legacy systems and software no longer receive vendor-supplied fixes. For example, as of January 2023, Microsoft stopped patching Windows 7, Windows 8 (and 8.1), and Windows Server 2008 R2, leaving the door wide open for security risks.

Secondly, enterprise patch management is a web of complexity. Amongst legacy devices (of which some will be patch-less), your employees will likely use a range of company-issued and personal devices to access workplace data, including modern PCs, smartphones, and IoT devices. Unfortunately, keeping tabs on them all is incredibly difficult, as is remote patching in the work-from-home era. IT teams are limited to chasing colleagues and encouraging them to hit the "restart PC" button. Moreover, the risk of service downtime triggers employees to ask for exceptions and ignore auto-updates.

For this reason, automated patch management solutions must limit disruption, address exemptions, and offer IT teams the necessary flexibility, such as accounting for time zones in the deployment schedule.

3. Zero-Day Vulnerabilities

The patch management playing field is known vulnerabilities, which means your organization remains open to zero-day attacks that have yet to be publicly disclosed. Even if you patch every known vulnerability promptly, you can't guarantee protection against zero-day exploits.

Establishing a zero trust framework is an effective strategy for addressing zero-day exploits, as it assumes the hacker already has access to your network. However, most patch management solutions don't enforce access management policies, so your best bet is to pair patch management with IAM to limit attackers' lateral movements.

Automate to Accelerate Patch Management

Ultimately, all roads point to end-to-end patch management automation as the most efficient and fast method of implementing patch management policies, determining patch windows, and applying fixes. When there are thousands of vulnerabilities to address daily, it's time to cut out the manual efforts.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.

September 30, 2024

Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.

September 30, 2024

Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.

September 30, 2024

OKX announced the launch of OKX OS, an onchain infrastructure suite.