Getting a Handle on Patch ManagementRecent high profile malware attacks serve as a reminder of the importance of strong patch management practices
By: Dennis Dwyer
The WannaCry and NotPetya attacks exposed just how far behind organizations often are when it comes to patching their software and systems. In both cases, the malware attacks relied on an exploit that could have been blocked by applying the KB-4013389 (MS17-10) patch that Microsoft released in March. However, the attacks were able to use the exploit to compromise victims when the attacks occurred months later.
There is no way around it – having an effective patch management program is a critical part of protecting your infrastructure. Still, it is common for businesses, and government and educational institutions of all sizes to fall behind in deploying patches for a number of reasons, ranging from the size and complexity of their environments to a lack of resources and budget. Overcoming some of these issues requires a focus on three vital areas.
One of the most common challenges to effective patching is that many organizations do not have an accurate inventory of the software and systems in their environment. This is particularly true in the distributed environment of today’s enterprises. With the adoption of cloud and mobile applications and infrastructure, the amount of software and machines that need to be accounted for has greatly increased. Organizations should create and maintain an accurate list of all the systems in its environment, as well as the software on those systems and their patch levels. There is a plethora of network discovery tools that can be used to help with this process.
Contextualize and Prioritize
Threat intelligence is a crucial element here. Not all vulnerabilities are created equal – there are some that need to be patched sooner than others. Part of determining this is knowing whether or not there are current attacks targeting the vulnerability, and whether or not the vulnerability impacts critical applications or systems. Another factor to consider is whether the systems impacted by the vulnerability are likely to be attacked. Are the systems Internet-facing? These are all factors that could impact the severity of the issue in your environment, and influence its priority-level. To help with this process, many organizations purchase threat intelligence feeds to keep them abreast of new exploits from attackers as well as the release of patches. Some vendors may have their own guide, such as Microsoft’s Exploitability Index.
Instrument your Environment
Effective patch management also requires having deep visibility into your environment and its patch levels. If you can’t monitor it, you can’t manage it. This also relates to threat intelligence. Knowing what types of attacks or suspicious activity is going on will help you understand tactics an attacker may use against your organization. Over time, that knowledge may factor in to patch management and help with the prioritization process. Likewise, it is important to be able to measure the effectiveness in your patching process, which includes knowing how long it took to patch after a vulnerability has been discovered as well as the effectiveness of a particular patch in stopping attacks as opposed to other security controls.
Closing the Window of Vulnerability
A good patch management program reduces the amount of time attackers have to target an organization before a security hole is closed. It is an arms race of sorts, a battle between cybercriminals and corporations to see who can move fastest – and best. By focusing on prioritizing the right vulnerabilities, you can stay a step ahead of attackers.