We all know that patching is important, and we all champion efficient management around updates. We also all know the risks from a data breach if something goes wrong. So why is the physical process for updating systems across the enterprise still so difficult? What can we do to improve this?
The answers here involve better use of technology. But they also include taking a harder look at how we organize our teams, manage those processes, and create incentives to guide behavior.
Why are we still here?
To start with, let’s look at where we are with patching. The Ponemon Institute says that almost half of all companies had one or more data breaches during the previous two years. Of those breaches, 60 percent could have occurred due to known vulnerabilities where patches were available but not applied. According to Gartner, despite spending on security worldwide growing to more than US$150 billion during 2021, these known problems are still difficult to deal with.
These unpatched assets can be the route in for ransomware attacks. For example, the Conti ransomware group uses multiple approaches to attack potential targets. It looks for unpatched problems like the Microsoft Windows Server Message Block vulnerability, otherwise known as EternelBlue, released in 2017. Conti attacks can lead to ransom demands and threats to release stolen data if the ransom is not paid.
It shows the importance of deploying available patches. Patching an individual asset for an individual vulnerability is not be hard. Yet, IT & security teams have not been able to keep up with the pace due to current siloed processes that require manual effort. IT teams also face problems when their IT estates are not fully visible and when they have problems keeping up with their current workflows and responsibilities.
Asset control is the start point
Asset control and creating an accurate inventory are a good start point to improve patching and vulnerability management. An accurate asset list makes it possible to track the effectiveness of patch management. Without it, you are hoping the nothing is missed.
An accurate list of assets also delivers other benefits. It shows where the most effort is needed to prevent issues. It also makes it easier to identify devices that are vulnerable to attacks that are currently being exploited. This helps you prioritize specific assets or applications for faster patch deployment, depending on the business and what level of risk it will accept.
Putting theory into practice
These steps are standard for all IT security teams. It is why the vast majority of enterprises have services and technologies in place to help them manage vulnerabilities. So why is this still problematic?
One reason is that the team responsible for flagging vulnerabilities is not the one applying the patches. Vulnerability management typically sits with the IT Security team. However, patching desktops will be the responsibility of the Desktop team, IT Operations or the IT Service Management department. Additionally, many companies have outsourced elements of their IT to third-party providers. Outsourced support functions mean you have to go through that provider’s change management process.
Whether you have a full internal team or multiple companies involved, change management should be involved. A colleague who previously worked for a manufacturing company once had to go through a change process with 42 different approvers. Every one of these had to sign off on the change before it could go live. When you have a critical patch that must be deployed, this level of bureaucracy can delay the process and lead to more risk than it prevents.
To solve this, audit your change management process alongside your patch priorities. Where can you improve the whole process to meet everyone’s needs but not hinder fast patching? Remove those that don’t need to be involved. Also, make it easier for people to approve patch deployment for critical updates that need to be rolled out immediately.
Who is responsible?
Look at the metrics that your security team gets measured on and the goals that other teams must meet. It can reveal issues that were holding you back from improving patching. It can also help you find new ways to improve performance as well.
For example, your IT Operations team may be responsible for the patch deployment process alongside maintaining uptime and service availability for the business. In these circumstances, rolling out a patch may affect those other service levels. This can delay something from being implemented while approval is sought. Similarly, the team may want to arrange deployment for multiple patches in one go rather than prioritizing a patch for a serious risk on its own.
Solving this problem involves looking at how things are categorized and carried out so that both teams win. It is also important to check any outsourcing provider’s contract and service level. It will ensure they can be incentivized in the right way.
Make this a business, not a technology problem
This one change can make it easier to get support for more efficient patch deployment and faster updating. For instance, getting business unit leaders to look at patch levels and updates may be difficult on its own. Set a KPI around update status for those leaders. They will then want to improve their performance and keep everything up to date as much as possible.
It is possible to automate patch management and collaboration phases across the company. This removes some of the back and forth between teams. It can also remove some of the manual work around non-critical applications or where patches are fully validated before deployment. Another approach here is to look at ransomware and threat intelligence data. Use that data to automate the deployment of patches for these specific issues.
Improving patch management – and by extension, how we approach vulnerabilities – involves looking at processes, collaboration and goals. By thinking about the wider impact that patching has, we can improve how this gets delivered to the business.
Using automation in the patching process can also help. The manual load required to patch all operating systems and third-party applications can be overwhelming. Automation can be the solution to reduce some manual work and any updates or mistakes. When you use empirical data to underpin your decisions around where to implement automation, you can work more efficiently. Creating predefined rules based on internally agreed operating procedures can remove a lot of the manual lifting and get things done faster.
Founded in 1999, Qualys is a cloud security company that provides a range of information security and cloud compliance solutions. Qualys has established strategic partnerships with leading managed service providers and consulting organisations including Accenture, BT, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT and Verizon. The company is also a founding member of the Cloud Security Alliance (CSA).