Cybercriminals don't wait for companies to patch a vulnerability. The attack usually succeeds quickly and is then expected. Risk-based patch management is recommended so that the time factor loses some of its weight.
From the moment a vulnerability is published, it takes an average of just 22 days to develop a working exploit. On the company side, however, it takes between 100 and 120 days on average until an available patch is implemented. One reason for this discrepancy is certainly that companies have long been powerless against the sheer number of new vulnerabilities.
Vulnerabilities: An exploit will be available in 22 days
The NVD (National Vulnerability Database) counted almost 22.000 new vulnerabilities in 2021, 10% more than in the previous year and probably 20% fewer than in 2022. Compliance-oriented patch management is no longer able to keep up with this pace. However, risk-based patch management offers a fundamentally different approach. The basic idea: Instead of trying (in vain) to close all weak points, the security gaps that also pose an actual risk for the individual company are considered first.
What sounds like a truism poses very special challenges for IT organizations when it comes to implementation. Using 5 best practices, security provider Ivanti shows how they can be solved and translated into increased security:
1: View the situation
You can't protect what you don't know. Risk-based patch management therefore always begins with an inventory. What resources are in the corporate network? Which end user profiles use these assets? Before the corona pandemic, asset management was much less complicated, a thorough look around the office was enough: At the "Everywhere Workplace" that is hardly possible. Risk-based patch management only works in this new situation if all assets can be discovered, assigned, secured and maintained at any location - even when they are offline.
2: Get everyone involved on one side
In many organizations today, one team is responsible for vulnerability scanning and pen testing, the security team is responsible for setting priorities, and the IT team is responsible for executing remedial actions. As a result, there are sometimes serious gaps between the knowledge gained from security and the remedial measures taken by IT.
Risk-based patch management creates a connection between departments. It assumes that external threats and internal security environments are viewed together. The basis is a risk analysis that both departments can accept. This opens up a way for the security team to prioritize only the most critical vulnerabilities. The colleagues from IT operations, in turn, can concentrate on the important patches at the right time. In this way, risk-based patch management gives everyone more breathing space.
3: Underpin patch management with SLA
One thing is that security and IT operations teams must work together to develop a risk-based patch management solution. The other thing is to empower and motivate them. A service level agreement (SLA) for patch management between IT operations and IT security puts an end to the back and forth by standardizing the processes for patch management. It sets departmental and enterprise-wide goals for patch management, establishes best practices and processes, and establishes maintenance dates that all stakeholders can accept.
4: Organize patch management with pilot groups
Done right, a risk-based patch management strategy enables IT operations and security teams to work quickly, identify critical vulnerabilities in real time, and patch them as quickly as possible. Despite all love of speed, the following still applies: a hasty patch carries the risk of business-critical software crashing or other problems occurring.
Pilot groups from as diverse a cross-section of companies as possible should therefore test vulnerability patches in a live environment before they are fully rolled out. If the pilot group discovers a bug, it can be fixed with minimal impact on the business. The pilot groups should be established and trained in advance so that this process does not impede patch progress.
5: Use automation
The purpose of risk-based patch management is to efficiently and effectively remediate vulnerabilities while reducing the burden on staff. This is particularly true given the thin IT staffing levels in many companies. Automation dramatically accelerates risk-based patch management by analyzing, contextualizing, and prioritizing vulnerabilities XNUMX/XNUMX—at the speed needed. Similarly, automated patch management can also segment a patch rollout to test effectiveness and downstream impact, and to complement the work of the pilot groups.
Incorrect target: number of patches installed
While the management of cyber risks used to be primarily about the number of patches installed, this approach has now become obsolete. The ability to automatically identify, prioritize, and even remediate vulnerabilities without requiring excessive manual intervention is a key advantage in today's cybersecurity landscape.
An intelligent threat and vulnerability management (TVM) solution must also provide the ability to display results that are understandable for IT and security teams right up to the corporate board. A cybersecurity score, in turn, allows the effectiveness of an organization's risk-based approach to be measured. It simplifies planning and eliminates the need for purely activity-based metrics to fix vulnerabilities.
More at Sophos.com