Story image

Three key steps to improving security patching

26 Nov 18

Article by Flexera A/NZ sales director Hugh Darvall

In a world where everything seems to be urgent, managing and prioritising security risks associated with patching can be a pain point for enterprises with a lack of visibility into their systems and questions around which department is responsible for guaranteeing software security.

The key priority for an operations team is the security endpoints whereby uptime and user satisfaction needs to be guaranteed.

However, this often suffers when reboots and application restarts are undertaken when deploying patches.

Adding to the complications, resource constraint means it’s tough to minimise risk and determine a holistic, multi-departmental collaboration focused on specific risk policies and profiles.

Unfortunately, compliance pressure doesn’t help either, as more often than not it ends up being just a checkbox rather than a mechanism for improving security.

While the bare minimum is undertaken very reluctantly to satisfy the auditors, there’s still a significant amount of fire drill and distraction from the daily grind.

Off the back of this, many IT departments only patch the top software applications such as Microsoft, Adobe and browsers, which allows them to demonstrate that the business is compliant while satisfying the security needs of the organisation.

In reality, however, this way of thinking is a misconception that leads to a reduced security posture and an unnecessarily high risk for a breach, costing businesses on average $2.5 million each time.

Flexera’s new Vulnerability Review report highlights that realistically, the vast majority of vulnerabilities are found in applications from vendors outside the top brands, leaving enterprises at high risk of a data breach.

IT professionals should consider a three-pronged approach with a vulnerability risk management programme including visibility, prioritisation and automated remediation:

Visibility of patching needs

Firstly, IT departments need to understand what applications are running in the endpoints that require security mitigation – for example, patch or compensating control.

Approaching this from a pure software inventory perspective is a mistake because it takes time that nobody has.  

Instead, they should undertake a proper, risk-based assessment of the patching needs by automatically correlating the installed applications’ exact versioning data with known documented vulnerabilities that have been vetted and curated. 

This process will reduce false positives and let security professionals rank vulnerabilities in terms of risk to the business.

Prioritisation

It’s extremely important that IT departments use a risk-scoring system that helps them move fast to remediate the highest-risk vulnerabilities first.

Risk controls vary from organisation to organisation. 

But at a minimum, teams should evaluate vulnerability criticality, affected asset sensitivity and pervasiveness of the vulnerable software.

With these three elements considered, IT can exercise judgement on where to concentrate efforts to achieve the most effective outcome.

Automated remediation

Some organisations are adamant about testing all the applications that get deployed to their end users. 

Others simply prioritise fast security roll-ups and publish every patch needed as soon as it’s released by the vendor.

However, the middle ground is the most effective.

Some managed applications (i.e. those sanctioned by the organisation) are more critical than others because some may run critical business processes. 

The most critical applications should be thoroughly tested before mass deployment.

The other less critical managed applications should be patched regularly, preferably in a semi-automated way. 

The outlier problems can be dealt with afterwards.

IT should pay the most attention to the unmanaged applications sprawling across the organisation’s environment –automatically patching them mercilessly.

These applications are not sanctioned by the business and pose a great risk because they often either get ignored or bypassed for policy enforcement.

Ideally, these applications should be removed from the wider IT environment and their deployment controlled by an enterprise App Store with stringent workflows for approvals.

This will largely mitigate the risk they pose to the business.

In the past, it was easy for IT departments to manage vulnerabilities and risks based on their degree of seriousness.

Now with the amount of data generated, security incidents are affecting business viability, market competitiveness and even the life of ordinary citizens.

Organisations need to implement an approach to patching that improves security and creates a seamless process to prevent the risk of a future attack.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.