Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Prioritizing Patch Management Critical to Security

Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.

Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.

That lack of attention can cost. Recent stats from the Verizon Data Breach report showed that many of the most exploited vulnerabilities in 2014 were nearly a decade old, and some were even more ancient than that. Additional numbers from the NTT Group 2015 Global Threat Intelligence Report revealed that 76 percent of vulnerabilities they observed on enterprise networks in 2014 were two years old or more.

“One of the biggest challenges on enterprise networks is knowing the state of all the things you own,” said Martin Fisher, manager of IT security at Northside Hospital in Atlanta. “Enterprise networks are tens of thousands of devices and any of them can be the weak link in the chain. The technology to robustly manage and patch devices has not kept up with the vast quantities of new and exciting equipment coming out each year. That means that sometimes a vulnerability can go for a long time before it gets addressed.”

Unfortunately, many companies do a poor job identifying all their computing assets and understanding their value to the business, noted Jon Heimerl, senior security strategist at Solutionary, a NTT Group security company.

“Many organizations have older systems which are getting ignored as new, cool or more critical applications and services are fielded,” he said. “The longer we maintain legacy applications, or even less important applications and systems in our environments, the more likely those systems are to fall off a list of systems to be patched. It is important that organizations truly understand the systems which make up their operational environment, and the potential impact that each one of those systems can have on organizational security. This issue can be mitigated by performing thorough asset analysis and vulnerability tests to find available systems and associated open vulnerabilities.”

The sheer number of patches that get released makes it difficult for enterprises to keep up, Fisher noted.

Advertisement. Scroll to continue reading.

“It’s not just Microsoft Patch Tuesday anymore,” he said. “All of the vendors from Adobe to Zotac are producing patch updates for their software and hardware. Each of these patches needs to be evaluated and assessed for how it should be prioritized for deployment. The challenge that most enterprises have is that there is no prioritization so everything from the mundane to the most dangerous all gets the same treatment.”

Enterprises should begin prioritizing patch efforts based on the risk particular vulnerabilities pose to critical assets, as well as their exploitability and age, said Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. Organizations should also adopt a maturity model for threat and vulnerability management, he said.

“In general, you will probably have to accept that you can’t try to patch every single vulnerability,” he said. “Instead, focus on the critical assets that are most important to the organization. Eliminate vulnerabilities that put those critical assets at risk.

Prioritizing vulnerabilities might require consolidating multiple vulnerability scanner feeds and analyzing issues based on known exploits, as well as simulating potential attack paths through the IT infrastructure, he added.

External information sources such as US-CERT TA15-119A – which has the top 30 attack vulnerabilities – can also be good sources of information, noted Wolfgang Kandek, CTO of Qualys. Once the top 30 are knocked off, focus on bugs that are known to have exploits, he advised.

“Attackers prefer environments where vulnerabilities stay unpatched for months or years at a time, allowing them to use their well tested exploit codes which have undergone significant QA over the years,” Kandek told SecurityWeek. “New exploits tend to be more temperamental, often crashing the target and alerting the user and IT departments.”

Beyond technology, improving the patch management process comes down to communication, said Fisher.

“If everyone from the CEO down understands why patching is so important and also realizes that the patching is being done in as silent and transparent a manner possible, it’s possible to do an amazing job without overly disturbing the business,” he said. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.