CISO Commentary: The Art of Patching
Recently, Core Security released the 2024 Penetration Testing Report, which shares the results from an annual survey of cybersecurity professionals on their experiences with offensive security strategies and solutions. In this series, we’re taking a deeper dive into some of the most noteworthy findings from the survey, with expert insights from Fortra’s CISO, Chris Reffkin, and Lead Product Manager for Infrastructure Protection, Pablo Zurro. In the previous installments, we looked into the optimal frequency of pen testing and ensuring efficacy despite budgetary constraints. In this third installment, we’ll discuss the challenges of patching and why it remains a critical security practice.
Failing to Patch: A Common Security Risk
According to the 2024 Penetration Testing Report, a lack of patching was the third leading security concern, with 66% of respondents noting it as a challenge. This represents a notable increase of 17% over the findings from the prior year, indicating a worsening trend in the timely application of patches.
Echoing these concerns, the Verizon Data Breach Investigations Report underscores shortcomings in patch management. Data revealed that there are significant delays in patching vulnerabilities. Though patch management cycles ideally should be around 15 days for critical vulnerabilities, and 30-60 days for those that are less urgent. However, it was found that 85% of critical vulnerabilities had yet to be remedied 30 days after discovery. At 60 days, 47% of vulnerabilities were still not fixed. Alarmingly, even after a year, 8% remained unaddressed.
Implementing patches is often seen as basic, simple advice. But given these numbers, it’s clearly a practice that is easier said than done.
What Makes Patching So Challenging?
Reffkin explains that there are several factors that make patching a tricky endeavor.
Limited Time and Personnel
First and foremost, properly implementing a patch can be time consuming. It involves multiple steps, including acquiring, testing, configuring, deploying, and monitoring updates that resolve vulnerabilities. Additionally, while the general framework of a patch management process is relatively consistent, each patch may require a slightly different approach depending on the type of system, the severity of vulnerability, testing requirements, and other factors. With almost every organization being impacted by the security talent gap, the resources needed to keep up with proper patch deployment can be difficult to find.
Dependencies and Compatibility
Patching does not occur in a vacuum and a single patch can easily domino into multiple other tasks. Because infrastructures are made up of multiple assets that can be complexly intertwined, it is rare that maintenance can take place on one application without affecting others. Consequently, when identifying that a vulnerability is present, security teams must then ascertain which systems are directly and indirectly impacted. This is often the case when it comes to compatibility issues. Depending on the version currently being run or custom configurations, a patch may not work. This can introduce additional challenges, as it must then be determined if upgrading will introduce conflicts with other systems and what it would take to resolve them.
The Inconvenience of Downtime
Given this interconnectedness, the patching process can often interrupt essential business functions. And with the prevalence of remote and global companies, there are fewer stretches of time in which no one is expected to be working. It is no small matter to have to take central systems or services offline for an extended period of time in order to deploy a patch. It may even require sign off from different parties within an organization, making it even more challenging to coordinate. Even when there is general acknowledgement that a patch needs to be applied, it can be difficult to get approval when it requires disrupting regular operations that keep an organization functioning.
Identifying Patching Needs
With these challenges in mind, what can organizations do? Reffkin stresses the need for a well-coordinated procedures. Two particular areas to concentrate on start at the beginning of the process: finding vulnerabilities and deciding which ones to focus on. Zurro notes that many organizations don’t have full visibility into what vulnerabilities are present in their infrastructure. By using vulnerability management solutions, organizations can get a clearer picture of what systems may be at risk. Enterprise-grade VM solutions offer automated workflows, risk scoring, and initial prioritization suggestions. This greatly reduces the need for manual intervention until it is time to establish exactly which patches should be focused on.
Patching Prioritization
There are multiple elements to consider when it comes to deciding which patches should be deemed most critical.
Vulnerability Severity | How severe is a vulnerability?
Though not a concrete rule, vulnerabilities with higher CVSS scores tend to warrant more attention. Vulnerability scanners often incorporate these scores into their rating systems.
Exploitability | How accessible is the affected asset?
Public facing systems are more exposed and should typically be prioritized, since they can be exploited by attackers without needing access to an internal network.
Business Impact | What are the possible outcomes on the organization if a vulnerability is exploited?
This requires assessing the value of the data at risk, the potential for service disruption, or other negative consequences. Pen testing is the most effective way to determine the potential aftermath of an exploitation attempt.
Threat Landscape | What vulnerabilities are new, actively being exploited, or are getting a lot of news attention?
The popularity of a vulnerability may make it worth moving up on the priority list.
Patch Availability | Is a reliable patch ready to implement?
If a patch that is compatible with your current system configuration is unavailable, it is worth assessing whether it is safe enough to wait for one that is or if system alterations are warranted.
Effective and Achievable Patch Management
The number of patches being released on a regular basis can easily become overwhelming. For example, Microsoft alone released over 900 patches in 2023. Instead of trying to tackle patching as though it is a singular problem, Reffkin emphasizes that the best way to successfully handle patch management is in a piecemeal fashion. This means being realistic about what’s possible, using tools to streamline where possible, and intelligently prioritizing deployment to focus on protecting your organization’s crown jewels. “Step-by-step” is cliché for a reason, and it remains a useful approach in the realm of patch management. By breaking down the process into manageable pieces, organizations can efficiently address vulnerabilities without becoming bogged down by the sheer volume of updates.
Get more insights from the 2024 Pen Testing Report
Learn about different approaches to, common challenges with, and the overall development of offensive security from an annual survey of cybersecurity professionals.