The Limits of Patch Management in Cybersecurity
November 21, 2023

Dotan Nahum
Check Point Software Technologies

Cyberattacks are publicized much more frequently than the hard work security teams put in to stop them. 2017's WannaCry and 2022's Log4Shell were amplified by companies' failures to install readily available patches, causing highly destructive, expensive, and embarrassing consequences for victim organizations.

Most companies provide security patches upon detection of vulnerabilities, but they are not always timely or taken seriously. Patch management involves more than installing patches or code changes in the event of a breach; it's about keeping your finger on the pulse to stay alert to available patches, test them, and document the processes to ensure security, reliability, and compliance.

Whose Job Is It Anyway?

Only your security department can identify vulnerable software, prioritize updates, and deploy patches. While detection can come in the form of email alerts from the affected vendor or the in-house use of vulnerability scanners, the practice of patch management (including acquiring the patch, testing, and installation) falls in the hands of your IT team.

If the looming threat of data breaches isn't enough to convince you of the importance of patch management, the shadow of a lawsuit should be. Equifax succumbed to the FTC's enormous $700 million fine in 2019, with patch management failures listed on the score sheet. After noticing a vulnerability in its ACIS database, Equifax followed protocol and ordered a patch within 48 hours of detection. Unfortunately, the command slipped through the cracks. Equifax's security team failed to carry out the patch, putting the company under the FTC's spotlight and demonstrating the criticality of effective delegation and ownership.

Perhaps the people with "true" ownership over patch management are your legal department, albeit inadvertently. Although lawyers don't have the technical expertise to verify successful patch management, it's their mess to clean up if anything goes wrong. Cybersecurity regulation and litigation are more stringent than ever, and the changing face of compliance means that fines can peak at €20 million or 4% of annual global turnover (whichever is greater) for infringements in the EU. In the US, federal and state limits are rising ever higher. For example, the Department of Health and Human Services (HHS) dishes out HIPAA (Health Insurance Portability and Accountability Act) fines of up to $50,000 per violation.

Critical Limitations of Patch Management

Let's review the limitations of patch management and how you can, well, patch things over.

1. Prioritization

It's a universal fact that critical vulnerabilities must be addressed quickly, but that doesn't mean they carry equal weight. Cyber threats are never-ending; new exploits are discovered daily, and IT teams receive a torrent of time-consuming updates that affect workflows and cause alert fatigue.

It's impossible to sift through every notification manually, leading to a dissipation of responsibility (as we saw in the Equifax case) and a lack of clarity regarding prioritization. Automated patch management solutions can do the heavy lifting for you. Otherwise, to wade through the prioritization tasks, you can take a risk-based strategy based on the following categories:

Classification: What type of vulnerability is it?

Asset information: Identify all assets. For each, define who is responsible for it, its role in your organization, and its worth.

Severity: Using the Common Vulnerability Scoring System (CVSS) to rate the severity of the vulnerability from 1-10.

Exploitability: How likely is it that an attacker will exploit this vulnerability?

Impact: What consequences will this vulnerability have in terms of a data breach, financial loss, or system downtime?

2. The Cut-Off Point

You can't patch what you can't see, and this problem is two-fold for enterprises. Firstly, some legacy systems and software no longer receive vendor-supplied fixes. For example, as of January 2023, Microsoft stopped patching Windows 7, Windows 8 (and 8.1), and Windows Server 2008 R2, leaving the door wide open for security risks.

Secondly, enterprise patch management is a web of complexity. Amongst legacy devices (of which some will be patch-less), your employees will likely use a range of company-issued and personal devices to access workplace data, including modern PCs, smartphones, and IoT devices. Unfortunately, keeping tabs on them all is incredibly difficult, as is remote patching in the work-from-home era. IT teams are limited to chasing colleagues and encouraging them to hit the "restart PC" button. Moreover, the risk of service downtime triggers employees to ask for exceptions and ignore auto-updates.

For this reason, automated patch management solutions must limit disruption, address exemptions, and offer IT teams the necessary flexibility, such as accounting for time zones in the deployment schedule.

3. Zero-Day Vulnerabilities

The patch management playing field is known vulnerabilities, which means your organization remains open to zero-day attacks that have yet to be publicly disclosed. Even if you patch every known vulnerability promptly, you can't guarantee protection against zero-day exploits.

Establishing a zero trust framework is an effective strategy for addressing zero-day exploits, as it assumes the hacker already has access to your network. However, most patch management solutions don't enforce access management policies, so your best bet is to pair patch management with IAM to limit attackers' lateral movements.

Automate to Accelerate Patch Management

Ultimately, all roads point to end-to-end patch management automation as the most efficient and fast method of implementing patch management policies, determining patch windows, and applying fixes. When there are thousands of vulnerabilities to address daily, it's time to cut out the manual efforts.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023 achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.