Why Patch Management Matters and How to Create an Effective Strategy
Patch management provides critical assessment and maintenance that software requires for managing cybersecurity vulnerabilities with each release. Managing the ways your software becomes vulnerable is key to preventing cybersecurity risk.
For illustration, consider patch management in the way you think about maintaining a car. You wouldn’t expose yourself to risk with your vehicle like going without an oil change or replacing weak brakes or balding tires. In the same way, software must be maintained to avoid and mitigate vulnerabilities.
Car manufacturers take maintenance seriously or void your warranty. They fix or add features in each new model year to improve safety and performance. Software developers engage in the same activity, making necessary changes and improvements with each software release, addressing security concerns, and upgrading performance.
However, software developers must work at a much faster pace than car manufacturers. Each software version—whether a year old or brand new—contains vulnerabilities. The only way to navigate this risk is to test software and remain diligent with all regular updates.
Data & History Highlight Patch Management Value
In 2017, a pivotal moment in cybersecurity occurred when the ransomware called WannaCry exploited a vulnerability in Windows XP, an operating system in existence for more than a decade, crippling Britain’s National Health Service (NHS) for weeks. Organizations like Britain’s NHS commonly used systems rolled over from year-to-year to execute critical duties. However, accumulating software from a variety of past iterations, without considering changes to security and improvements to performance, is a recipe for disaster.
Similarly, statistical data highlights the necessity of implementing a patch management strategy. A Ponemon Institute study found that 39 percent of respondents knew they had a vulnerability before breaching. Another study from Ponemon in 2019 shared that 48 percent of respondents reported a minimum of one data breach in the past two years.
Most importantly, two out of three respondents stated that a patch solution was available for the known vulnerability, but never applied.
A careful and effective patch management strategy is the most prudent approach to thwarting these easy-to-avoid breaches. The best plans, however, are built on a policy that includes an inventory of assets, current testing capabilities, and a model that prioritizes particular updates.
Three Core Functions of an Effective Patch Management Strategy
The types and levels of sophistication found in software today continue to expand exponentially. This growth and diversity create higher levels of risk and vulnerability. Software purchasers, rather than developers, bear the responsibility for discovering safety holes.
Enterprise that consume software can create an effective patch management strategy by establishing three core functions — inventory or asset management, testing, and prioritization.
Below, we examine each of these areas in greater detail, providing direction for developing and implementing a patch management strategy.
Patch Management Function #1: Asset Inventory and Management
Companies are deploying a more extensive array of software resources and increasing the number of responsible users. This uptick in volume and diversity translates into higher risk and significantly more time needed to install patches. A streamlined and unified system of asset inventory is necessary for managing this influx of vulnerability.
Begin with creating a singular unified asset inventory, including registering risks, changes, ownership, permissions, origins, and data classifications. These data points contain evidence of security exposure. Investing the time to maintain a single asset inventory, and ensuring your applications are compatible with it, is a challenging endeavor for an organization of any size.
Consult the Common Vulnerability and Exposure (CVE) publication, provided by the US government and partner corporation Mitre, as a viable resource to assist in developing this inventory and identifying typical risks.
Also, an asset inventory is only as useful as it’s testing and patching documentation. If a specific patch is tested and found to be ineffective, this data should be noted in the inventory and efforts should be launched to address it.
Patch Management Function #2: Testing
Software developers serve a vital and capable role, but their efforts at design and testing cannot feasibly account for every potential variant to security risks. And, because software developers don’t know your particular environment or platform, the software consumer must take on the responsibility for their unique specifications. Testing is critical for consumers to inform patch management efforts to know how best to prioritize threats.
Patch Management Function #3: Prioritization
Lastly, a patch management strategy must calculate associated risks for variables like cost, probability, maintenance, userbase, and data volume. This calculation drives patch prioritization.
Clarifying priorities is an example of the vitality and value of your governance, risk, and compliance (GRC) program. A viable GRC program should consist of the critical metrics and expertise required to prioritize threats and inform decisions around how to best address these risks. The Common Vulnerability Scoring System (CVSS) is a robust and useful open-source model that supports prioritizing patches with some tailoring to your organization’s specific needs.
While this process reveals more risks and exposures, calculating and registering a vulnerability gives you valuable information to guide the prioritization of time, effort, and focus.
Patch Management Resources
The raw volume of patches your organization faces can be prohibitive for any organization. Here, we provide some resources to further assist in developing your patch management strategy.
Spread Patch Duties
Depending on how your company acquires and utilizes software, the option may exist to spread duties across multiple departments in your organization.
Consider Outside Assistance
Third-party cybersecurity consultants, like CyLumena, can accelerate the development and execution of your patch management program and priorities. It saves money by focusing internal resources on other high-value security projects, making patch management easier to outsource.
Leverage Open Source Information
Mitre, the Department of Homeland Security; and previous testing done by Mitre, Microsoft, and other research labs, can help you manage and identify persistent software issues.
Look into Automation
Like many enterprise operations, automation benefits patch management by streamlining inventory maintenance, testing, and prioritization. Automating your data analysis and reporting can reduce costs and mitigate many security risks to your next release.
Simplify and Accelerate Your Patch Management Process
Time and data prove the value of patch management. Automation technologies are the latest tool to streamline and simplify laborious management processes. Our team provides seasoned guidance to update your strategy and put new tools in place, making it easier to release resilient software.
Insight Contributor:
Will Defeo, Consultant
Will DeFeo is a CyLumena consultant with experience in code release governance and risk management, having previously worked for PwC in anti-money laundering and as an AmeriCorps VISTA. He is a 2015 graduate of Mercyhurst University’s Ridge College.
