Patch management has always been an evergreen topic for security practitioners. Each time poor patching is identified as the root cause of a breach, it triggers a new flood of opinions on the countless dos and don’ts of triaging common vulnerabilities and exposures (CVEs), understanding criticality scores, and deploying patches. Often left out of the conversation, however, is an especially crucial variable: risk.
Specifically, I’m referring to the business risk that a vulnerability poses to a company. Evaluating business risk in this context requires insight into 1) the likelihood that a vulnerability will be exploited and 2) if exploited, how that vulnerability could impact the company on a macro level. Business risk intelligence (BRI) can provide these insights, which, once obtained, can enable a company to make informed decisions about if, when, and how to patch a vulnerability.
But for many companies, the decision-making process with regard to patch management is not driven by business risk—it’s driven by CVE criticality scores that are often incorrectly equated with business risk. While such scores provide useful information about the nature of a vulnerability, they’re assigned by third-parties that are removed from the unique context of an organization’s security posture and, as a result, are not wholly indicative of risk. Companies that rely on CVE criticality scores in place of business risk are more likely to patch all vulnerabilities blindly regardless of the cost and need of doing so.
To illustrate this concept, let’s examine the following scenario:
While riding the train home from work one Friday, a CIO reads an article about a new vulnerability that has been deemed critical. She sends the article to the CISO, asking, “Have you seen this?” The CISO then sends it to the CTI team, also asking, “Have you seen this?”
In response, the CTI team quickly researches the vulnerability and reports back to the CISO, “Yes, there is an exploit in the wild, but a patch was made available this afternoon.” Although it’s now getting late on a Friday night, the CISO commands the patch management team to deploy the patch immediately. By 1:00 AM on Saturday, the patch has been deployed.
The outcome of this scenario is what many security practitioners would agree is a win. After all, the vulnerability was removed and the company’s risk mitigated. But since we never evaluated the company’s risk in the first place, it’s impossible for us to determine whether this win was worth the cost of deploying the patch—not to mention the patch management team’s displeasure with having to work overtime on a Friday night.
Now imagine that the CIO had instead initially asked, “What is our risk related to this?”
With this frame of reference, the CTI team researches the vulnerability, overlays this research with relevant insights gleaned from BRI, and reports to the patch management team, “There is an exploit in the wild, but it is highly unlikely that our company would be targeted.”
The patch management team combines the CTI team’s research and BRI insights with information about the company’s critical assets and the estimated cost of deploying the patch to quantify the company’s risk. Rather than blindly deploying the patch, the team determines that the vulnerability in question applies to only 10 devices and that the cost to patch it would be approximately $25,000.
Together, the CTI and patch management teams then report to the CISO, “Yes, there is a known exploit, but it is unlikely to target our company. If we did face the exploit, the impact would be minimal. Deploying the patch will cost an estimated $25,000.”
Now armed with concrete information tied to both business risk and cost, the CISO makes an informed decision, responding to the CIO, “The vulnerability is present on a small number of devices. The risk is minimal but the cost to deploy the patch is high, so we have chosen to accept the risk.”
The above example highlights one scenario, but this approach to decision-making becomes even more powerful in situations pertaining to a series of CVEs and patches. When you understand the mitigation costs, potential impacts, and their likelihoods— in other words, your company’s business risk —you can identify and address what’s actually critical to your company regardless of the criticality score assigned by a third-party and ensure resources are being prioritized cost-effectively on efforts that have the greatest impact.
Related Reading: Cyber Risk Prioritization: Fixing What Really Matters
