Security Experts:

Auto-Patching: More or Less Risky?

Is the probability of an Automated Patch Breaking a System Worse Than the Increased Risk of Getting Hacked?

Many organizations take a manual approach to vulnerability management. Instead of relying on automated systems, IT practitioners test and validate new patches prior to deploying them in production environments. However, in today’s dynamic threat landscape there are thousands, if not hundreds of thousands, of vulnerabilities discovered in typical organizations.

The manual approach is becoming unsustainable. This is why more systems, including the new Windows 10 operating system, are switching to hands-free, automated updates. Is automatic patching less risky than waiting for a patch to be tested and validated internally?

Automated PatchingAccording to the 2015 Verizon Data Breach Report, 99.9 percent of exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published. More strikingly, over 70 percent of attacks exploited known vulnerabilities with available patches. This paints a dire picture for the existing manual testing approach to vulnerability management. Not surprisingly, at the recent RSA Conference in San Francisco, one of the discussion points on the show floor was the need for automation and orchestration, which entails solutions that help organizations leverage what they already have.

Security and IT practitioners alike are trying to minimize exposure to vulnerabilities, and are consequently considering auto-patching as an approach that could assist in achieving a more streamlined vulnerability management process. However, when Lenovo recently admitted that its system update program had critical security flaws, fears resurfaced about whether automatic system updates provide enough security. Another inhibitor is the fact that software vendors often are not transparent about what a patch will do. For instance, Windows 10 now provides far less detail on patches compared with prior versions. Often security updates are bundled with other updates that can just as easily break code. Many organizations don't allow automatic updates because they have thousands of applications, many of which are custom-built, that a bad patch can crash.

Organizations must decide whether the probability of an automated patch breaking a user’s system is worse than the likelihood of getting hacked. With differing risk perceptions and tolerance levels, the decision must be made by each organization.

While there are risks associated with automatic update systems, including updates being hijacked by malware, as was the case with a fake Firefox update, the benefits far exceed the risks.

Organizations just need to apply special care to the implementation of the auto-patching process to minimize any shortcomings. This includes ensuring that the delivery process itself is stable and doesn’t corrupt the updated files; that it is conducted in a secure manner, meaning protected by digital signatures and encrypted; and that it follows proper cyber hygiene, which means that the patch has been validated for authenticity and quality before it is applied.

If organizations are not convinced that automation is the holy grail in tackling today’s dynamic threat landscape, they can at least enhance their existing vulnerability management practices by contextualizing detected vulnerabilities with external threat data and the risk associated with them. This will allow organizations to better align remediation resources and shorten time-to-remediation. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software flaw.

The most recent RSA Conference showcased new technologies that take a pro-active approach to vulnerability and threat management, that aggregate multiple threat intelligence feeds, and more importantly correlate external and internal security data with its business criticality or risk to the organization. This allows for increased operational efficiency and faster time-to-remediation without requiring expensive consulting services or taking the perceived risk of auto-patching and therefore offers a valid compromise.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).