While a robust suite of security technology undoubtedly plays a starring role in every organization’s risk management strategy, implementing a smart and timely approach to patching remains one of the primary ways for organizations to protect their networks from attackers. Patching vulnerabilities addresses known security weaknesses, preventing potential exploits that malicious actors could use to gain unauthorized access to corporate data or disrupt operations.
However, given how often patching updates are released by software and application developers, it’s easy to get overwhelmed. Teams often grapple with which updates to implement, when to do so, and in what order they should be applied.
But what if you could reliably forecast your patch schedule? While there’s no silver bullet, it’s possible to use some of the latest threat insights to help guide your strategy and keep your organization better protected.
Patching is key
Even with a patch management strategy in place, many businesses still find it difficult to patch vulnerabilities as soon as they are discovered, and hackers are quick to capitalize on this situation. It’s crucial to have a solid plan in place when deciding which vulnerabilities to patch first and to secure systems.
In the meantime, practitioners can take advantage of safeguards like virtual patching—adding a security layer that analyzes incoming traffic for malicious activity—while waiting for the actual patches to be applied. Though every platform should be taken into account when making a list of priorities, that only goes so far in identifying which open vulnerabilities are most likely to be attacked soon. The good news is that there are other tools you can use to prioritize patching efforts.
Understanding the “red zone”
Many variables, such as organizations’ vulnerability management practices and advancements in attacker tooling, affect the relationship between the Common Vulnerabilities and Exposures (CVEs) that are present on endpoints and the CVEs actually targeted by attackers.
To help security practitioners better prioritize their patching efforts, the FortiGuard Labs team introduced the concept of the “red zone” in a previous threat landscape report. The red zone is a moment-in-time assessment of the CVE data observed on endpoints compared with the CVEs actively under attack. We introduced the red zone to help security practitioners understand how likely (or unlikely) it is that threat actors will exploit a specific vulnerability.
For example, in our latest threat landscape report, we performed this analysis and determined that just 8.3% of more than 14,000 known CVEs fell into the “red zone” in the first half of 2023. While that figure still represents a fair amount of vulnerabilities that security practitioners need to address, understanding the red zone can help teams determine the patching efforts that should be their highest priority.
Using EPSS to prioritize your efforts
Using the Exploitation Prediction Scoring System (EPSS) can go a long way toward anticipating what vulnerabilities will require your attention. The EPSS is an open, data-driven project for determining how likely it is that an attacker will use a software vulnerability in the wild. With the use of an existing CVSS score, the project aims to help network defenders better prioritize vulnerability mitigation operations.
EPSS uses current threat information from the CVE database, along with data from real-world exploits to make predictions. The probability score generated by EPSS ranges from 0 to 1 (0% to 100%). The likelihood that a vulnerability will be exploited in the next 30 days increases as the score gets higher.
For example, on May 31, 2023, it was disclosed that the MOVEit Transfer web application contained a zero-day SQL injection vulnerability that might allow an unauthenticated actor to modify or remove data from the database engine. Security professionals flagged this vulnerability as one to watch. Following the publication of the CVE, EPSS forecasted a very high likelihood of exploitation within the following 30 days.
Not surprisingly, cybercriminals didn’t wait long to take action. Just five days after the vulnerability was discovered, our FortiGuard Labs sensors detected attacker efforts to exploit the MOVEit vulnerability. In this instance, EPSS offered third-party confirmation of the predictions our analysts made and assisted us in staying ahead of and communicating about the evolving threat.
Though vulnerability management teams use EPSS to help prioritize their remediation efforts, they can also use it to aid intelligence efforts to monitor the development of vulnerabilities from their original disclosure to the start of exploitation in the wild. Incorporate EPSS data into your vulnerability management strategy to serve as an early warning system.
Get your patching priorities straight
Patching is a critical task on every security professional’s already lengthy to-do list. In order to simplify the process while keeping the organization safe, teams should take advantage of tools like red zone analysis and the EPSS. These offerings provide a valuable picture of where organizations should focus their efforts when it comes to protecting their attack surface and prioritizing patching efforts, saving practitioners time and energy (and many trips down CVE rabbit holes).
