{"id":1129,"date":"2024-12-06T03:48:14","date_gmt":"2024-12-06T03:48:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1129"},"modified":"2024-12-06T03:48:14","modified_gmt":"2024-12-06T03:48:14","slug":"cisos-still-cautious-about-adopting-autonomous-patch-management-solutions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1129","title":{"rendered":"CISOs still cautious about adopting autonomous patch management solutions"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Failing to patch vulnerabilities keeps biting CISOs.<\/p>\n

The most recent evidence: Last month, the Five Eyes cybersecurity agencies in the US, the UK, Australia, Canada, and New Zealand reported that the top 15 vulnerabilities routinely exploited last year<\/a> included one that dated back to 2020 (a Microsoft Netlogon hole); one that dated back to 2021 (in the Log4j2 open source logging framework) and one that dated to 2022 (a hole affecting multiple products using Zoho ManageEngine).<\/p>\n

Outside the top 15 list are regularly unpatched aging vulnerabilities, including one that dates back to 2017 in devices running Cisco Systems\u2019 IOS and IOS EX software.<\/p>\n

To meet this challenge, on-prem or cloud-based automated or autonomous firmware and software patch management applications should be part of a CISO\u2019s toolkit, experts say.<\/p>\n

There are plenty to choose from. A wide number of IT operations management and security vendors offer patch management solutions, including\u00a0 ManageEngine, Heimdal, ConnectWise, Atera, Action1, NinjaOne, SecPod SanerNow, SolarWinds, Automox, Kaseya VSA and Pulseway.<\/p>\n

The latest, which launched this week, is Tenable Patch Management. Tenable says the solution, which includes automatic patch testing to block problematic updates from being installed, shortens the time from discovery of a vulnerability to remediation.<\/p>\n

However, CISOs are still cautious about adopting autonomous solutions. According to a recent Forrester Research survey, only 27% of 510 security decision-makers said their organization currently uses a patch management solution. Another 30% said they are willing to buy such a solution.<\/p>\n

Why the reticence? \u201cFear of breaking something\u201d if an untested patch is installed, said Erik Nost, a Forrester senior analyst.<\/p>\n

However, experts warn infosec leaders against relying solely on automation for the collection and deployment of updates. \u201cI don\u2019t fully buy into 100% reliance on any single patch management capability,\u201d said Fritz Jean-Louis, a cybersecurity advisor at Info-Tech Research, \u201cbecause if you do so, you do it at your own risk. Now you\u2019re relying on a single point of failure that can be catastrophic to your organization. That is not good risk management. You want to have some level of automation, because as CISOs we\u2019re struggling with a workforce gap \u2026 but it will be up to individual organizations to decide how much automation is sufficient.\u201d<\/p>\n

He added, \u201cmy recommendation is for those less critical applications, allow full automation. But for critical applications I know could bring down my entire organization, I would want to review them as part of my change management process.\u201d<\/p>\n

Forrester\u2019s Nost agreed, suggesting a \u201ccrawl, walk, run\u201d strategy. \u201cThere are ways of automating beyond just installing the patch. You can automate vulnerability assessment and prioritization. You can automate ticket creation\u201d and other steps before going to full automation.<\/p>\n

A patch management solution, he added, has to fit within an organization\u2019s patch management strategy, which includes deciding which applications need to patched first.<\/p>\n

Whatever autonomous solution the CIO\/CISO chooses, Nost added, it should allow a patch to be initially deployed to a test group of systems for stability feedback before full deployment.<\/p>\n

The crash of millions of Windows PCs around the world in July 2024 following the release of a faulty CrowdStrike sensor update is an argument that autonomous patching systems can\u2019t include critical applications. CrowdStrike admitted a problem in its testing of a content update was at fault<\/a>.<\/p>\n

Analysts CSO spoke to differed on whether current autonomous patching applications could have caught that flaw. And Jean-Louis of Info-Tech Research noted that many infosec leaders would in any case have trusted an update coming from CrowdStrike.<\/p>\n

\u201cSetting up a finely controlled patching process with an automated patching solution will avoid an issue similar to the CrowdStrike outage,\u201d Michelle Abraham, research director for security and trust at IDC, said in an email, \u201cbecause once the first subset of machines has problems with the patch, the process is halted until the issues are resolved.\u201d<\/p>\n

When choosing a patch management solution, infosec leaders should define their use cases (for example, do you need a solution that works with multiple operating systems); define their criteria for the product (what\u2019s important: cost, ease of use, does it offer patch scheduling, learning curve, does it comply with regulations you need to follow, do you want a cloud-based solution, does the solution look after virtual machines and containers); and check with peers about their experience with the solution.<\/p>\n

However, Ray Komar, Tenable\u2019s vice-president of cloud and technology alliances, noted, the actual decision on a product may be made by the IT group; the CISO or infosec leader may only have input into the decision.<\/p>\n

The decision maker should look for a solution that can be based around the IT department\u2019s patch policies, he said in an interview.<\/p>\n

The solution should be autonomous, he added, not automatic. \u201cAutonomous means you set it up, apply the level of controls you feel is appropriate. The machine does the work, but within it you can engineer human checkpoints as part of your patching strategy \u2014 an approval, a dependency or something else. You want to ensure that you, or a business group, have the ability to kill [a patch].\u201d<\/p>\n

Automated patch management is not essential, said Frank Dickson,\u00a0group vice-president of IDC\u2019s, security and trust research unit. But, he added, it is a best practice.\u00a0\u201cThe scale of vulnerabilities is just too big.\u00a0Validating every patch on low severity vulnerabilities on non-critical systems is impractical.\u00a0Patching is still important. Most organizations are good at protecting critical systems and the \u2018crown jewels.\u2019\u00a0 However, less critical systems can still be gateways for a breach.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Failing to patch vulnerabilities keeps biting CISOs. The most recent evidence: Last month, the Five Eyes cybersecurity agencies in the US, the UK, Australia, Canada, and New Zealand reported that the top 15 vulnerabilities routinely exploited last year included one that dated back to 2020 (a Microsoft Netlogon hole); one that dated back to 2021 […]<\/p>\n","protected":false},"author":0,"featured_media":1110,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1129"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1129"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1129\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1110"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}