{"id":244,"date":"2024-09-16T10:00:00","date_gmt":"2024-09-16T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=244"},"modified":"2024-09-16T10:00:00","modified_gmt":"2024-09-16T10:00:00","slug":"patch-management-a-dull-it-pain-that-wont-go-away","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=244","title":{"rendered":"Patch management: A dull IT pain that won\u2019t go away"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Enterprise security patching remains a challenge despite improvements in both vulnerability assessment and update technology.<\/p>\n

Competing priorities, organizational challenges, and technical debt continue to transform an ostensibly straightforward aim of keeping systems up to date into a major headache, according to IT experts quizzed by CSO.<\/p>\n

Because of these and other issues, approximately 60% of enterprise applications remain unpatched six months after a vulnerability is disclosed, according to cloud security vendor Qualys. The industry average for patching critical vulnerabilities within the first 30 days is around 40%.<\/p>\n

Application creep isn\u2019t doing enterprise IT any favors. A recent survey<\/a> from patch management firm Adaptiva found that, on average, organizations manage 2,900 applications. That\u2019s a lot of potential patching to do given that the number of detected vulnerabilities continues to grow.<\/p>\n

And it all serves to ensure greater likelihood of business disruption.<\/p>\n

\u201cThe more patches an organization has to deploy, the higher the risk of downtime due to reboots or a patch breaking a business application,\u201d Eran Livne, senior director of product management at Qualys, tells CSO.<\/p>\n

Here\u2019s a look at the current state of patching in the enterprise \u2014 with advice from IT experts on developing a more robust patch management strategy<\/a> in the face of ongoing issues.<\/p>\n

Automation \u2014 and its shortcomings<\/h2>\n

In recent years, patch management has become a risk reduction practice<\/a>, with organizations aligning security and remediation workflows and prioritizing which vulnerabilities to fix based on calculations around security exposure, the likelihood of downtime due to misfiring updates, and what that downtime might subsequently cost the business.<\/p>\n

Knowing the playing field and having clear remediation policies are key, says Sanjay Macwan, CIO and CISO at communications platform Vonage.<\/p>\n

\u201cBusinesses should ensure they have an up-to-date asset inventory to keep track of all the components that require patches, as well as formal, stringent policies for each team to follow in order to coordinate timely, effective patches,\u201d Macwan says. \u201cPatches should be assigned risk levels to determine the order in which they are tackled, and teams should be given clear deployment processes, including post-patch monitoring to catch critical errors.\u201d<\/p>\n

Here, Qualys\u2019 Livne advocates use of automation tools \u201cto help reduce the manual work involved in responding to the vast number of vulnerabilities, especially vulnerabilities that are \u2018easy\u2019 to fix, such as browsers, media players, and document readers.\u201d<\/p>\n

With automation targeting lower-priority patching, IT operations and security teams can be freed up to concentrate on critical and time-sensitive security fixes.<\/p>\n

But despite their promise to reduce workload, cut down on errors, and speed up patch delivery, automated tools have their limitations, says Rich Newton, managing consultant at Pentest People.<\/p>\n

\u201cTool-recommended patch priorities based on vulnerability severity may not always align with the organization\u2019s specific risk tolerance or business objectives, emphasizing the need for human oversight,\u201d Newton tells CSO. \u201cRelying solely on a patch management solution, especially in complex IT environments, can be futile. Not all systems can be fully supported by automated tools, making it essential to have policies and procedures in place for continuous monitoring and assessment of the patch status across the entire IT estate.\u201d<\/p>\n

Elie Feghaly, CSO at global broadcast technology company Vizrt, agrees that, although vulnerability assessment and automated patching tools are highly useful, they are no panacea.<\/p>\n

\u201cAutomated remediation roles on complicated IT environments seldom blend well with highly dynamic, and potentially error-prone environments,\u201d Feghaly says.<\/p>\n

The legacy factor \u2014 and lingering issues<\/h2>\n

Moreover, the vast majority of complex IT environments also run substantial amounts of legacy software that is no longer patched by the vendor, points out Martin Biggs, vice president and managing director for EMEA and strategic initiatives at Spinnaker.<\/p>\n

\u201cWhere patches are available, they can be highly disruptive and need extensive regression testing before deploying,\u201d Biggs says.<\/p>\n

For sensitive environments, it can be nearly impossible to patch, even when a patch is available. In other scenarios, applying a patch fails to solve the underlying vulnerability, which is only addressed in subsequent updates, Biggs warns.<\/p>\n

\u201cIt\u2019s quite usual in the Oracle world for the same vulnerability to be re-addressed in patches for many quarters after the original patch,\u201d according to Biggs.<\/p>\n

With such factors at play, it\u2019s little wonder why many patch management strategies are broken<\/a> today.<\/p>\n

Testing takes center stage<\/h2>\n

Vizrt\u2019s Feghaly points out another common issue enterprises face with patch management.<\/p>\n

\u201cWe have all experienced this: A patch works flawlessly in the staging or test lab, and yet generates great havoc in production due to an unexpected dependency on another application,\u201d Feghaly says.<\/p>\n

\u201cExternal factors or dependencies are why testing is still paramount.\u201d<\/p>\n

July\u2019s high-profile outages caused by CrowdStrike\u2019s problematic Falcon content update<\/a> that crashed systems across the world has put the importance of testing prior to patch deployment back in the spotlight.<\/p>\n

\u201cVulnerability assessment and automated patching tools can significantly alleviate the challenges associated with patch management by providing continuous monitoring, identifying vulnerabilities in real-time, and automating the deployment of patches without manual intervention,\u201d says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. \u201cHowever, their effectiveness depends on proper configuration, regular updates, and integration with broader security practices. Patches should be thoroughly tested and initially deployed to a smaller subset of systems to minimize the risk of outages from faulty patches.\u201d<\/p>\n

Here, automated testing environments can help reduce the risk of disruption, says Thomas Richards, associate principal at the Synopsys Software Integrity Group. But not if you have limited visibility into what must be patched in the first place.<\/p>\n

\u201cThe challenge we often see our customers experience is getting the tools configured properly to scan and patch all the live systems within their organization,\u201d Richards says. \u201cThere are a variety of reasons why systems may not be covered by this process, including legacy devices, misconfigurations, shadow IT, and systems that should be decommissioned but remained online.\u201d<\/p>\n

Richards concludes: \u201cThe most important part of having a patching program is to ensure all systems are covered by it and are being patched regularly.\u201d<\/p>\n

Bridging the cultural divide<\/h2>\n

Dave Harvey, director of the cyber response team at KPMG UK, says that, in addition to proper prioritization and remediation, a successful patch management strategy depends on \u201cthe integration of effective cyber threat intelligence, regular review, and effective collaboration between IT and security teams.\u201d<\/p>\n

To that last point, Madeline Lawrence, CBO at Aikido Security, says that engineering teams can often be left feeling \u201coverwhelmed and annoyed\u201d when dealing with security vulnerabilities.<\/p>\n

There\u2019s a total mindset disconnect between security teams \u201ctaught to consider every possibility\u201d and developers who love \u201cshortcuts and efficiency,\u201d she adds.<\/p>\n

\u201cTo many developers, the security teams showing up with requests is like chaperones crashing the party,\u201d Lawrence explains. \u201cThis fundamental difference in approach and priorities creates significant challenges for organizations trying to get IT operations and security teams to work more closely together in resolving security vulnerabilities.\u201d<\/p>\n

\u201cBridging this gap isn\u2019t just about new tools or processes \u2014 it requires addressing the cultural and communication divide between these essential but often misaligned teams,\u201d she says.<\/p>\n

At the center of this divide is the fact that IT operations teams prioritize system uptime and performance, while security teams focus on mitigating threats. This tension often leads to conflicts and delays in addressing security issues.<\/p>\n

\u201cThis challenge is further complicated by the complexity of modern IT environments, which span multiple platforms and make it difficult to maintain visibility and control,\u201d Christiaan Beek, senior director of threat analytics at Rapid7, told CSO. \u201cIt\u2019s also common to see differing risk tolerances between the teams that can lead to disagreements about which vulnerabilities to prioritize, delaying necessary actions.\u201d<\/p>\n

To get IT operations, software developers, and security teams on the same page, Qualys\u2019 Livne advises focusing on common goals.<\/p>\n

\u201cFrom a team perspective, look at how you can create shared goals across developer, IT operations, and security teams to work together and deliver better results. Working on common objectives makes it easier to collaborate, communicate and eliminate risks,\u201d he says. \u201cThis also improves accountability across all the teams involved, rather than shifting blame between teams, as has happened in the past.\u201d<\/p>\n

Pentest People\u2019s Newton adds: \u201cSignificant improvements in patching practices can be made by establishing joint ownership of patch delivery between IT and security teams.\u201d<\/p>\n

Dave Harvey, director of the cyber response team at KPMG UK, agrees, adding that successful companies infuse secure practices early in their development processes.<\/p>\n

\u201cIntegrating their security and risk resources into the development process from the start has enabled that improved understanding so that systems are designed and built secure rather than having security applied as an afterthought,\u201d he says.<\/p>\n

The bottom line? Data-based decision-making<\/h2>\n

To understand their risk, enterprises should monitor IT assets in real-time, giving them insights into issues across their infrastructure as soon as possible.<\/p>\n

At the same time, not all issues are created equal. Less than 1% of CVE issues released this year have been exploited, so it\u2019s best to concentrate on risks that matter to the business \u2014 and to do so by following the data.<\/p>\n

\u201cThis will help you make decisions based on data, and you can communicate around those risks with other teams, too,\u201d Qualys\u2019 Livne says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Enterprise security patching remains a challenge despite improvements in both vulnerability assessment and update technology. Competing priorities, organizational challenges, and technical debt continue to transform an ostensibly straightforward aim of keeping systems up to date into a major headache, according to IT experts quizzed by CSO. Because of these and other issues, approximately 60% of […]<\/p>\n","protected":false},"author":0,"featured_media":245,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/244"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=244"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/245"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}