Muhammad Yahya Patel, lead security engineer at Check Point Software, considers roadblocks to effective patch management.
The landscape of cybersecurity is fraught with challenges, not least of which is the daunting task of maintaining an up-to-date and secure network infrastructure. While there may be temptation to view patch management as a simple cost-benefit equation, this perspective overlooks the nuanced and often severe repercussions of inadequate vulnerability management. The failure to implement a robust patch management strategy can result in outcomes as damaging to business operations as any direct cyberattack. The roots of this inaction lie in a complex mix of risk aversion, financial considerations, and a stark shortage of skilled professionals equipped to navigate the intricacies of cybersecurity threats.
According to a survey backed by the Ponemon Institute, the average organisation in 2024 has 3,000 applications stored on its endpoints, and almost two-thirds (59 per cent) say that it takes at least two weeks to begin deployment after a patch has been released. Only 31pc of patches are distributed via automation, putting an increased burden on manual human-led processes.
Central to the dilemma faced by many organisations is the issue of legacy systems—vital to the day-to-day operations yet notoriously difficult to update or replace without causing significant disruption. These systems, often running on outdated software that cannot easily be patched, present a unique challenge. The very processes that are critical to the organisation’s success are the ones that make it most vulnerable. Vendors of such systems may offer limited or no support, leaving businesses in a precarious position: either depend on potentially insecure third-party solutions or place an undue burden on already overstretched internal IT staff.
Real-world examples of patch vulnerabilities
The exploitation of known vulnerabilities can lead to devastating cyberattacks, as illustrated by the widespread impact of the Log4j vulnerability and the significant breach involving MOVEit Transfer and MOVEit Cloud (CVE-2023-34362). In May 2023, Progress identified a critical flaw in these systems that, if exploited, could allow attackers to gain escalated privileges and unauthorised access. Despite a rapid response that included the launch of an investigation, the provision of mitigation steps, and the release of a security patch within 48 hours, cybercriminals were quick to leverage this window of vulnerability. The Russian-affiliated ransomware group Clop executed a supply chain attack, targeting users of MOVEit and compromising the data security of prominent organisations, including Shell and British Airways.
The consequences of such attacks are far-reaching and severe, underscoring the critical importance of timely and effective patch management. Emsisoft reported that the Clop-initiated attack led to the exposure of personal information for more than 62 million individuals, marking it as the most significant hack of 2023. This incident not only highlights the tangible risk of data loss and corruption but also demonstrates the broader implications for operational integrity, regulatory compliance, and organisational reputation. The MOVEit incident serves as a stark reminder of the potential for significant harm that known vulnerabilities can cause when not promptly and adequately addressed.
Barriers to effective vulnerability management
Automated patch management has been a boon for businesses, but while efficient for routine upkeep, it harbors significant risks when it becomes the sole strategy. Automated systems are adept at handling standard patching tasks but falter in the face of the unexpected, particularly with complex or outdated legacy systems where compatibility and stability are crucial. The absence of rigorous testing before patch deployment can lead to a series of consequences, from operational disruptions and data integrity issues to the introduction of new security vulnerabilities.
The scarcity of resources and skilled professionals dedicated to vulnerability management is also a significant shortcoming. Viewing investment in cybersecurity as a sunk cost reflects a short-term mindset that prioritises immediate financial savings over long-term security benefits. This approach often breeds complacency and a willingness to tolerate risks that could be mitigated with appropriate resources. The reality is that patching is not only costly but also demands considerable time and expertise, with manual processes prone to error due to their complexity and repetitiveness. For large organisations, the challenge is magnified by the need to secure tens of thousands of systems across a diverse array of technologies, a task further complicated by the increasing prevalence of remote work. This environment demands a more comprehensive approach to resource allocation, where the value of investment is measured by the enhancement of organisational security, not just its immediate financial impact.
Back to Basics: How and when to patch
The best patch management strategy is a dual-focused one that leverages automation and manual upkeep together to keep an organisation’s digital estate secure. Here is a breakdown of how and when patching should take place.
How to patch:
• Prioritise Critical Systems: Identify and update systems critical to business operations first to minimise potential impact on essential services. This ensures that the most vulnerable points in your network receive immediate attention.
• Establish Patch Management Policies: Develop comprehensive policies that outline the procedures for patch management, including timelines for implementation. This creates a structured approach, ensuring consistency and accountability across the IT department.
• Use Automated Tools with Manual Oversight: Leverage automation for efficiency but supplement with manual checks to catch issues automation may miss. This dual approach balances speed with thoroughness, covering more ground without compromising on diligence.
• Test Patches in a Controlled Environment: Deploy patches in a test environment to evaluate their impact before applying them broadly. This step helps avoid widespread issues by identifying potential conflicts or problems in a controlled setting.
• Implement Rollback Procedures: Prepare for the possibility of patch-induced problems by having a rollback plan in place. This ensures you can quickly revert changes, minimising downtime and preserving data integrity.
• Coordinate with Vendors: Maintain open lines of communication with software and hardware vendors for up-to-date patch information. Vendors can offer crucial insights and support, aiding in a smoother patching process.
When to patch:
• Adhere to a Regular Patching Schedule: Implement a consistent schedule for patching to ensure systems are routinely updated and secure. Regularity helps in mitigating risks proactively rather than reacting to threats after they’ve been exploited.
• Prioritise Based on Risk: Assess and prioritise patches based on the severity of the vulnerability and its relevance to your organisation. This strategy ensures resources are allocated effectively, focusing efforts where they are needed most.
• Emergency Patching: Act swiftly on critical vulnerabilities that could immediately jeopardise system security. Emergency patching is essential for closing potentially devastating security gaps without delay.
• Conduct Risk Assessments: Regular risk assessments help identify vulnerabilities and guide the prioritisation of patching efforts. Understanding your risk landscape allows for informed decision-making and more effective patch management.
• Meet Compliance Requirements: Ensure your patching strategy aligns with regulatory and compliance standards to avoid legal penalties and maintain trust. Compliance is not just a legal obligation but a component of maintaining operational and security standards.
• Plan and Communicate: Effective planning and clear communication are vital for successful patch management. Coordination ensures all team members are informed of their responsibilities, reducing the risk of oversight and enhancing the efficiency of the patching process.
As well as the above steps, building robust relationships with vendors, actively engaging with their updates, and inquiring about prevalent vulnerability exploitations will fortify an organisation’s knowledge base, enabling proactive defense measures. Investing in dedicated vulnerability management personnel ensures continuous scanning and assessment, while integrating threat intelligence becomes instrumental in prioritising responses effectively. Quick evaluation of vulnerabilities, especially in security products and devices exposed to the internet, is also crucial due to their potential for widespread impact. Above all, maintaining an incident response plan and embracing the evolving nature of vulnerability management underscore the importance of adaptability and vigilance, essential traits for safeguarding organisational assets against the ever-changing tide of cybersecurity threats.
