Patching Process Remains a Security Bottleneck

Patching continues to be overly complex, cumbersome and time-consuming, trends that are likely to persist as remote work increases the complexity and scale of patch management. And that’s a major security risk.

This was the central conclusion drawn from an Ivanti survey of more than 500 enterprise IT and security professionals across North America and EMEA, which found organizations are struggling with attack surface risk and ways to accelerate patching and other remediation actions.

Today’s work environments are no longer limited to a contained space where IT-controlled PC workstations are the center of productivity, with organizations nowadays more distributed than ever before, leading to larger attack surfaces. That’s not exactly surprising—but the scale of the problem certainly was.

“We expected to see IT professionals say that patching is overly complex and time-consuming, but seeing 71% say that was somewhat surprising,” said Srinivas Mukkamala, senior vice president of security products at Ivanti. “I think what was more surprising was that 61% of the IT and security professionals surveyed said that they receive requests from line-of-business owners to postpone maintenance windows once a quarter.”

Mukkamala noted that in the everywhere workplace, employees connect with various devices to access corporate networks, data and services as they work and collaborate from new and different locations, which means patching has never been more challenging.

“Meanwhile, IT and security teams are struggling to keep the constantly widening remote work landscape under control,” Mukkamala added. “Keeping the new online workspace safe and up-to-date with the latest security patches is necessary but has become increasingly challenging.”

Patching Without Context

He explained that while many security and IT teams attempt to patch every vulnerability, patching without threat context is not an effective strategy.

“Security and IT teams need context and adaptive intelligence around what their organization’s exposures are to vulnerabilities that are being actively exploited, including whether those vulnerabilities are tied to ransomware, and then they need to quickly remediate those threats,” he said. 

He also pointed out that patching to mitigate vulnerability exposure and ransomware susceptibility is contending with resource challenges and business reliability concerns.

“For example, an IT staff shortage has reduced the ability to mitigate security issues promptly for many companies,” Mukkamala said, noting that globally, the shortage of cybersecurity professionals is estimated to be more than 3 million. 

Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity platform, called patch management one of those “death and taxes” aspects of IT management and security.

“Like any protocol, the effectiveness is determined by how well it has been implemented,” he said. “The main issue we see which causes a failure to mitigate risk arises from the asset inventory of an organization being incomplete, and systems being left vulnerable as a result.”

Blending in With the Noise

Ellis said an example of this in action was the Struts 2 vulnerability which ultimately enabled the 2017 Equifax breach. 

He explained how vulnerabilities in common software (as opposed to vulnerabilities in the unique code of an organization) experience a life cycle, and an effect known as HD Moore’s Law, named after the inventor of the penetration testing tool Metasploit: “Casual attacker power grows at the rate of Metasploit.”

Essentially, CVE vulnerabilities enter a commoditization phase where the difficulty of accessing a working exploit drops while the targetable systems are still in the process of being patched. 

“Once this threshold is crossed, the variety of threat actors using the exploit increases rapidly, and a more recent trend we’ve seen is nation-states and APTs using commodity or freely-available exploits in a manner that blends in with this noise,” he said. 

Mukkamala said by leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence technologies, organizations can understand what is being actively exploited so risk response is performed based on threat priorities.  

Dor Dali, director of information security at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, said unaddressed vulnerabilities are consistently the low-hanging fruit for hacker exploits; the gift that keeps on giving.

“Almost all successful hacks and security breaches leverage at least one unmitigated vulnerability,” Dali said. “Obviously, digital business is not prepared to deal with the threat of unpatched vulnerabilities, much less the full variety of vulnerabilities that aren’t solved by effective patch management.”

He pointed out that moreover, vulnerability remediation isn’t easy. It’s difficult to fix what you don’t understand and it’s not always clear what the “best” remediation path for a company might be.

“Security teams must first seek to prioritize risk created by unpatched assets. If a vulnerability doesn’t pose a meaningful risk to your business, don’t waste resources patching it,” he said. “If a vulnerability presents an unacceptable risk to the business, at that point all mitigation options must be considered.”

Dali explained this could mean a patch, but also a configuration change, a workaround or some other type of compensating control.

“In the scenario where a patch is determined to be the best remediation path, security and IT teams will need to work together to determine potential impact and unintended implications factoring in risk, potential business impact, and alternatives,” he said. 

Dali added that organizations will never patch themselves out of danger, and to some degree, this shifting priority reflects that.

“It’s a never-ending task that will never achieve full coverage,” he admitted. “This isn’t to downplay the importance so much as to note it’s one of several strategies that must be employed.”