Making Infosec Jobs Easier: Keeping Systems Patched

July 28, 20209 min readVulnerability Management

This is post 3 in our ongoing blog series on making infosec jobs easier. The first post covered the job of improving overall security posture, the second talked about assessing and reporting on breach risk. In this post, we discuss the job of keeping systems patched.

The uphill struggles of keeping systems patched

One of the main jobs of a vulnerability management team is to keep all systems patched to safeguard your enterprise network and data. This involves not only keeping abreast with patching at a steady and periodic cadence, such as when Patch Tuesday rolls around, but also on an emergency basis when a patch is released for a critical vulnerability. In these cases, emergency patching might need to be completed within hours of a patch being released.

Here’s an example of what a typical vulnerability management and patching process looks like:

Vulnerability Management and Patching

 

Unfortunately, you will face challenges and limitations in every stage of this process:

How to keep systems patched

 

7 challenges in keeping systems patched

There are several challenges that security teams face on an almost daily basis, just pertaining to the task of keeping systems patched. Some of the biggest hurdles include:

1. Inventory

Your first challenge is that you need to know what you’re protecting, namely an inventory of your enterprise IT assets. Inventory must include not only the category of the asset, but business criticality of the asset as well. You also need to understand which assets have security vulnerabilities and need patching. To tackle remediation, you also need to know in what priority order these systems should be patched.

2. Keeping up with alerts from your existing tools

Legacy vulnerability scanning tools produce tens of thousands of alerts, overwhelming security teams. It is hard to identify which vulnerabilities are critical, which can wait, and which ones are just noise. Understanding and acting on data output from your vulnerability assessment scanner is a critical component of your vulnerability management program, but it is a well-known fact that vulnerability scan reports are long, extensive, and riddled with false positives. The inability of security teams to address the vulnerabilities in a timely manner due to the vast number of action items is a significant factor that undermines your ability to keep systems patched.

3. Difficulty in identifying vulnerable systems

Your enterprise attack surface is massive, with thousands of assets in your enterprise, each susceptible to a myriad of different attack vectors. Unfortunately, it is challenging to keep track of the various devices, applications, and services used by enterprise users. As a result, it is difficult to correctly target vulnerability scans and risk assessments. Covering non-traditional assets such as bring-your-own devices, IoT, mobile assets, and cloud services is particularly problematic. Mechanisms for asset inventory of the organization are manual, don’t discover and inventory IT assets in real time or continuously, and do not provide adequate coverage for all types of assets.

4. Issues with scan targeting

Most vulnerability scanners used in the enterprise today use manual processes that look for known vulnerabilities in networked assets such as servers, routers, and endpoints. Typically, these scans take a long time to run and not only that, targeting the scans to subnets, hosts, and other parts of the network has to be manually managed. By the time results are available, they are already out-of-date.

5. Broad risk coverage

Traditional approaches to vulnerability assessment monitor less than 5% of the enterprise attack surface. Enterprise risk extends beyond CVEs and traditional assets. Legacy vulnerability management tools, in use since the late 1990s, have historically constricted the definition of a security vulnerability to just imply CVEs. However, a vulnerability is anything that puts you at risk. The enterprise attack surface is exploding with assets including thousands of devices, apps and users, susceptible to hundreds of attack vectors, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption and configuration issues, etc. Known vulnerabilities, or CVEs, are only a small subset of most enterprises’ overall breach risk.

6. Prioritization

Security teams are typically unable to patch all vulnerabilities, so the list of vulnerabilities gets longer with each new scan. As a result, figuring out which vulnerabilities to prioritize and how becomes a daunting task as there are too many unpatched systems and too many updates.

7. Patching SLAs

Even after knowing which systems are vulnerable or need to be patched, you don’t know if the mitigation steps you plan to take will reduce risk. And what about systems that can’t be patched right away or at all. What do you do about those? Often, it is also not clear what your options for reducing risk are if patching is not possible or if you can reduce the risk from an unpatched asset by using an appropriate compensating control.

Making your job of keeping systems patched easier

Balbix replaces legacy vulnerability management and multiple point products to continuously assess your enterprise’s cybersecurity posture and prioritize open vulnerabilities based on business risk so you can maximize your patching efforts.

 

The Balbix platform:

  • Automatically discovers, categorizes, and determines business criticality of all assets
  • Prioritizes vulnerabilities based on business risk, a function of likelihood and impact
  • Enables you to define risk areas appropriate for your business using natural language search, and then maps your vulnerabilities to these areas.
  • Enables you to act on mitigation steps appropriate to the unpatched system (patching, accepting risk, or using compensating controls)
  • Allows you to set up target mean-time-to-patch SLAs for vulnerabilities of different likelihood values for asset groups of different business impact levels.
  • Provides the ability to set up your business risk areas and manage how vulnerabilities in these areas are automatically mapped to their asset-group owners with risk-based priority.

With Balbix, you can report on your patching posture using customized dashboards to track and show key metrics like mean- time-to-patch (MTTP) by asset criticality, patching posture compliance with SLAs by site, global patching insights and more.

Get in touch with us to see how we can help you make this challenging job of keeping your IT systems patched more efficient.