How to bring your patch management up to speed

Keeping a business secure is one of the most demanding parts of the IT department’s job. As our industry evolves to offer new ways of working – think cloud, mobile, and social – those who set out to harm businesses are following suit and leverage these new mediums to carry out cyber attacks.

Whether it’s a malware attack, data breach, attempted Intellectual Property (IP) theft, or government-backed cyber espionage, threats are evolving all the time and come from many different angles.

One of the most interesting aspects of the current information security landscape is that, while high profile breaches may seem like they’re caused by today’s massive trends such as cloud computing and enterprise mobility, the greatest security headaches for businesses are actually caused by things that are more simple to spot: software vulnerabilities.

Most of these incidents can be prevented. The 2015 Verizon Data Breach Report, revealed that over 90% of attacks exploited known vulnerabilities that had patches available. 'Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 — a gap of almost eight years,' the report says.

This raises the issue of fast patching and how businesses can go about ensuring they have the latest, most secure, versions of their software up and running. For many years, acceptable patch cycles were measured in months.

It meant waiting for Patch Tuesday, the one day of the month that Microsoft rolls out its latest security fixes, patches and other improvements, then start a process of evaluation and testing of the patches that took up a large part of the IT and security teams.

While it’s obviously good that Microsoft has an update cycle that you could set your watch by, it’s meant that on occasion businesses were left unsecured and exposed for months.

> See also: Why your business can't afford not to patch

This is changing. With the current software on our smartphones we have seen that updates are becoming continuous and part of the operating system itself. Google Chrome has shown that continuous updates are also possible in desktop software and sports an excellent track record as far as data breaches go: so far 0% have been attributed to any hole in this popular browser.

Vulnerabilities in Chrome have been quite plentiful (over 200 in the last three years) but they get addressed and updates rolled out in such a quick schedule that the window for the attacker is too small to be interesting.

Microsoft seems to be moving into a similar direction, first with continuous updates to their Windows app store and now with the upcoming change in Windows 10.

Again, we know this experience from consumer technology products – how many times per day do people have to update their iOS devices, or apps on their Android devices? The experience users have around managing their own updates is something that enterprise IT teams can benefit from. Enterprises need to learn from and catch-up with the consumer space.

Constantly updating software is part of so many applications and systems, and ensures that security vulnerabilities are patched at the earliest opportunity.

The reality is that many businesses are still at the behest of their software suppliers. Oracle, for example, still operates on a quarterly release cycle. In some ways, this is a good approach for businesses as it enables them to prepare for each and every update, making sure their systems are ready for whatever Oracle has to roll out. The applications themselves will be big mission-critical systems so thorough testing for compatibility issues also has to be factored in.

So how can enterprises shift their patching strategy to align with this new world order? Let’s take a look at some patching strategies and other things to consider:

First things first, you need the raw fuel required for continuous monitoring of computer security: the asset inventory, configuration and vulnerability data gathered by your scanner. Without fresh data, monitoring is not continuous, and your computer systems will be at risk.

Important computer systems should be scanned daily and your strategic, high-value assets multiple times daily – or better still, continuously. You need to know, in real-time, what vulnerabilities exist and if they affect you.

You also need to know just how critical they are. Fixing all vulnerabilities at once is practically impossible – especially in large organisations, where the amount of vulnerability data can be overwhelming. A functional vulnerability management (VM) system allows you to automatically segment, categorise, rank and prioritise vulnerabilities to determine the most critical issues that could impact the most critical systems.

Smart VM systems know which patches are cumulative and contain or supersede the older patches, so should be able to indicate the most efficient patch for you to apply to a vulnerability.

For individual PCs or other IT assets such as networks and web applications, the testing processes may be time-consuming and expensive compared to the value of the updates and what’s being protected.

The risk that an update may not work or affect another system should be low, so it can be more beneficial to cut off vulnerabilities as soon as possible. This reduces the risk of security holes or phishing attacks that users may fall for.

Improving your patch management

Many of the patching and update methods discussed here have their benefits and drawbacks for businesses. However one thing is clear: many organisations out there have to improve their patch management.

It’s no longer sufficient to patch every quarter or even every month. New security threats are discovered all the time so businesses must be prepared to patch all the time as well.

To make patch management work in the future, it’s worth auditing your application estate and seeing how often those applications are updated over time. By looking at how often these applications are updated – as well as how critical those services are to the business – it’s possible to group your applications into three groups based on how much testing and management each one will take around patching.

For some applications, the continuous update approach that Google deploys – with no user interaction – may be appropriate. For others, a managed 'continuous update' approach may be more appropriate. This will see updates rolling out as soon as they come through, but only at the IT team’s direction.

For the third group, the need for testing and validation around integrations may mean that a more traditional patch management approach is preferred. This will include full QA testing and checking against other applications that rely on the data from the specific system to check that there are no unforeseen issues.

> See also: Assessing cyber risk in business is about more than just counting vulnerabilities

However you mix your application patching strategies, you can build up a picture of how often each application will be updated and how to manage this over time.

There may be exceptions to these groupings – for example, a zero-day attack on a critical application that has live exploit code available may need to be patched faster than otherwise might be the case.

However, what is important here is that businesses really need to wake up to this new way of doing things. It’s how employees are living their digital life outside the office – always-on connectivity that’s updating all the time and providing users with a safe environment. It’s a lesson IT departments should follow where possible: update often and as soon as a patch becomes available.

Sourced from Wolfgang Kandek, CTO, Qualys

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Patch management