Improving Security Patching in Three Simple Steps

Research reveals that security professionals need to pay close attention to desktop applications because most vulnerabilities found in these types of apps can be extremely dangerous

The same report also cautions users who incorrectly believe that Microsoft’s automated updates will shield them from vulnerability risk.  In fact, the majority of desktop app vulnerabilities occur in non-Microsoft applications.  65 percent of the vulnerabilities reported in the 50 most common desktop applications were found in non-Microsoft apps.

It’s time that IT teams at organisations rethink their patch management strategy. There’s compelling evidence that to significantly reduce corporate risk, security teams must patch.

The challenge

The vulnerability scan results security departments issue to operations teams typically contain hundreds of pages, and thousands of vulnerabilities to address. It’s a huge list often containing some prioritisation based on the criticality of the vulnerabilities observed; and in some more mature organisations, an assessment and opinion of the security team.

Typically, operations teams care about security in the endpoints – even thought their job’s to guarantee uptime and user satisfaction, which often suffers when deploying patches requires reboots and application restarts. There’s also the resource constraint issue – prioritisation difficulties in a world where everything is urgent, the lack of visibility, questions around ownership and available time, and so on. It’s a tough ask of the operations team to minimise the risk in the endpoints without a holistic, multi-departmental collaboration focused on specific risk policies and profiles.

Compliance pressure doesn’t help either, because frequently it ends up being just a check-box, and not a mechanism for improving security. Therefore, while the bare minimum is undertaken very reluctantly to satisfy the auditors, there’s still a significant amount of fire drill and distraction from the daily grind.

Perhaps this is why many IT departments only patch the top software applications such as Microsoft, Adobe and Browsers.  It allows them to demonstrate that the business is compliant and that they’re satisfying the security needs of the organisation. In reality, however, this is a misconception – one that leads to a reduced security posture and an unnecessarily high risk for a breach.  It could potentially cost millions of pounds to the business, as highlighted by the latest Ponemon Institute research on the Cost of Breach.

To compensate for the lack of resources and time, IT professionals convince themselves that patching the most important applications is enough. The reality is that the vast majority of vulnerabilities are found in applications from vendors outside the top five or six that most IT departments are currently patching.  So, organisations that only patch vulnerabilities found in Microsoft, Adobe and browsers, for instance, remain at high risk.

Addressing the problem

IT professionals can practically address the problem by adopting a three-pronged Vulnerability Risk Management programme, which includes visibility, prioritisation and automated remediation:

  1. Risk-based assessment of patching needs

IT departments must understand what applications are running in the endpoints that require security mitigation – i.e. patch or compensating control. Approaching this from a pure software inventory perspective is a definite mistake, as it takes time that nobody has.  In its place, they will do well to undertake a risk-based assessment of the patching needs by automatically correlating the installed applications’ exact versioning data with known-documented vulnerabilities that have been vetted and curated.  This process will reduce false positives, and let security professionals rank vulnerabilities in terms of risk to the business.

  1. Prioritising effort

Time is our most limited resource, and the cyber criminals are taking advantage of the situation. IT departments need to use a risk-scoring system that helps them move fast to remediate the highest-risk vulnerabilities first. Risk controls vary across organisations, but at the very least, teams must evaluate vulnerability criticality, affected asset sensitivity and pervasiveness of the vulnerable software. With these three elements considered, IT can then exercise judgement on where to concentrate efforts.

  1. Automating remediation

Some organisations test all of the applications that get deployed to their end users, while others simply prioritise fast security roll-ups and publish every patch needed as soon as it’s released by the vendor. The middle ground is the most effective.

Some managed applications (i.e. those sanctioned by the organisation) are more critical than others because they may run critical business processes.  The most critical applications should be thoroughly tested before mass deployment. The other less critical managed applications should be patched regularly, preferably in a semi-automated way.  The outlier problems can then be dealt with afterwards.

IT should pay the most attention to the unmanaged applications sprawling across the organisation’s environment – automatically patching them mercilessly. These applications aren’t sanctioned by the business and pose a great risk because they tend to either get ignored or bypassed for policy enforcement. Ideally, these applications should be removed from the wider IT environment and their deployment controlled by an enterprise App Store with stringent workflows for approvals.  This will largely mitigate the risk they pose to the business.

A decade ago, it was easier for IT departments to manage vulnerabilities based on their criticality, mainly because there was a “perimeter” and less software installed in endpoints.  Today, with the amount of data generated and security incidents affecting business viability, organisations can ill-afford to lose sight of and focus on what matters. In fact, a systematic approach to patching is an easy win to improve security.

About the author

Alejandro Lavie is the Director of Security Strategy for Flexera‘s Software Vulnerability Management portfolio. He has 20 years of consulting and business development experience in four countries, focused around enterprise software in cybersecurity, IT operations, IT service management and optimisation.