As the 2017 Equifax data breach illustrates, unpatched software represents a massive cybersecurity challenge for enterprises today. In that case, the vulnerability in question was well known, and a patch was available. Equifax simply hadn’t applied the patch.
On the surface, this ‘patching gap’ – the time between the availability of a patch for a software vulnerability and the application of that patch – shouldn’t be that long. After all, what’s so difficult or time-consuming about applying a patch?
In large organizations, however, the answer is – quite a bit. “Patching is a losing battle,” explains Sean Convery, VP and GM of the Security Business Unit at Service. “There are so many open vulnerabilities – sometimes in the millions. People are barely staying ahead of the most urgent vulnerabilities.”
Enterprises typically have thousands of different pieces of software, ranging from mobile apps on phones to legacy systems of record running in on-premises data centers – and everything in between.
Furthermore, such software is typically a mix of commercial off-the-shelf (COTS) packages, open source software, and custom-built applications. Vulnerabilities crop up in all of these on a regular basis.
Given this never-ending stream of available patches combined with perennially limited security staff, prioritization is essential. A recent Ponemon study underscored this point. “65% of respondents say they find it difficult to prioritize what needs to be patched first,” explains the ServiceNow-commissioned study Today’s State of Vulnerability Response: Patch Work Demands Attention. “To accurately prioritize vulnerabilities, you need to know both the severity—as measured by Common Vulnerability Scoring System (CVVS) scores, for example—and the types of business systems affected.”
Even with the appropriate prioritization, though, speed is also of the essence – and manual patching processes slow everything down. Throwing more people at the problem isn’t the answer, however, assuming the organization can even find them. “Businesses can’t hire their way into better security,” Convery says. “A shortage of people doesn’t mean less budget for people. It means more junior people, more training, and burning people out.”
Impact on Business Operations
Not patching can lead to Equifax-sized breaches, but patching has adverse impacts as well. “It can be difficult to get the business to accept the need for patching, because it has business consequences,” says Marcus Alldrick, Chief Risk Officer at Cymmetria and former Head of Digital Risk Management and Compliance at Lloyd’s of London. “You have logistical issues to deal with, as well as people issues – users may delay the patch because they want to get on with their work.”
The Ponemon study echoed Alldrick’s comments. “To prevent data breaches, security teams need to patch more quickly,” the study says. “However, the survey shows that they are being held back by manual processes and disconnected systems that compromise their ability to patch in a timely manner.”
Convery agrees. “Effective and timely patching is the best thing you can do to avoid being hacked,” he says. “Manual processes are holding them back.”
To balance the conflicting priorities of rapid patching vs. addressing the adverse business impacts of patching, many organizations have implemented patch management processes and policies that both address the prioritization of different patches as well as the ability for business stakeholders to make exceptions to various patching regimens for business purposes.
The United States Postal Service (USPS), for example, has published both its Patch Management Policy and Patch Management Process online. According to the policy, “Patches are implemented based on criticality ranking of the vulnerability that is being patched.” The process then differentiates among patches to critical vulnerabilities, patches to non-critical vulnerabilities, and excluded patches.
The decision to make such exclusions fall to specified stakeholders: Functional Support or Business Owner, depending upon when such an exception occurs. “Functional Support is defined as the group responsible for identifying and assessing patches and performing Functionality Testing,” according to the USPS. “Business Owner is defined as the Business Relationship Management Program Manager (BRM PM) or an equivalent stakeholder.” Either one might cause IT to hold off on a patch for business reasons – even for critical vulnerabilities.
Furthermore, for each system, the USPS’s IT organization must assess, test, and then implement vendor-released patches as per USPS policy, and then validate such implementations.
The end result of these processes: a 30-day implementation for critical patches, and a 90-day deadline for non-critical patches (which may nevertheless address significant weaknesses) – more than enough time for bad actors to compromise vulnerabilities.
Where to Start
Patching regimens may struggle under layers of complexity, but the starting point is relatively straightforward. “Start with basic hygiene items that can be addressed quickly,” the Ponemon study advises. “For instance, if security teams don’t scan for vulnerabilities, they need to make it a top priority to acquire and deploy a vulnerability scanner.”
It’s also important to realize that critical vulnerabilities might appear at any time, and thus certain patches may suddenly become urgent. “When you have emergency patches, then you need to rally the troops,” Alldrick says. “If you are running a standard working week, you’ll need resources that are prepared to work outside of normal hours. That is additional cost, so you need to have that budgeted and approved beforehand.”
Automation is also essential to reducing the time, as well as the headcount necessary. “Automation offers a path forward,” the Ponemon study continues. “By automating routine vulnerability response processes and elevating staff to focus on more critical work, security teams can dramatically reduce breach rates while making the most of existing staff.”
And finally, the business must place patch management into the context of financial risk to the organization. “ServiceNow’s GRC [governance, risk, and compliance] suite can turn vulnerabilities into a financial risk,” Convery explains. “The ROI of patching can be expressed in terms of the reduction in risk.”
As with other cybersecurity efforts, the question boils down to risk vs. the cost of addressing that risk. Every organization must find the right balance between these two priorities that meets its business goals – without becoming the next Equifax.