Story image

Three key steps to improving security patching

26 Nov 18

Article by Flexera A/NZ sales director Hugh Darvall

In a world where everything seems to be urgent, managing and prioritising security risks associated with patching can be a pain point for enterprises with a lack of visibility into their systems and questions around which department is responsible for guaranteeing software security.

The key priority for an operations team is the security endpoints whereby uptime and user satisfaction needs to be guaranteed.

However, this often suffers when reboots and application restarts are undertaken when deploying patches.

Adding to the complications, resource constraint means it’s tough to minimise risk and determine a holistic, multi-departmental collaboration focused on specific risk policies and profiles.

Unfortunately, compliance pressure doesn’t help either, as more often than not it ends up being just a checkbox rather than a mechanism for improving security.

While the bare minimum is undertaken very reluctantly to satisfy the auditors, there’s still a significant amount of fire drill and distraction from the daily grind.

Off the back of this, many IT departments only patch the top software applications such as Microsoft, Adobe and browsers, which allows them to demonstrate that the business is compliant while satisfying the security needs of the organisation.

In reality, however, this way of thinking is a misconception that leads to a reduced security posture and an unnecessarily high risk for a breach, costing businesses on average $2.5 million each time.

Flexera’s new Vulnerability Review report highlights that realistically, the vast majority of vulnerabilities are found in applications from vendors outside the top brands, leaving enterprises at high risk of a data breach.

IT professionals should consider a three-pronged approach with a vulnerability risk management programme including visibility, prioritisation and automated remediation:

Visibility of patching needs

Firstly, IT departments need to understand what applications are running in the endpoints that require security mitigation – for example, patch or compensating control.

Approaching this from a pure software inventory perspective is a mistake because it takes time that nobody has.  

Instead, they should undertake a proper, risk-based assessment of the patching needs by automatically correlating the installed applications’ exact versioning data with known documented vulnerabilities that have been vetted and curated. 

This process will reduce false positives and let security professionals rank vulnerabilities in terms of risk to the business.

Prioritisation

It’s extremely important that IT departments use a risk-scoring system that helps them move fast to remediate the highest-risk vulnerabilities first.

Risk controls vary from organisation to organisation. 

But at a minimum, teams should evaluate vulnerability criticality, affected asset sensitivity and pervasiveness of the vulnerable software.

With these three elements considered, IT can exercise judgement on where to concentrate efforts to achieve the most effective outcome.

Automated remediation

Some organisations are adamant about testing all the applications that get deployed to their end users. 

Others simply prioritise fast security roll-ups and publish every patch needed as soon as it’s released by the vendor.

However, the middle ground is the most effective.

Some managed applications (i.e. those sanctioned by the organisation) are more critical than others because some may run critical business processes. 

The most critical applications should be thoroughly tested before mass deployment.

The other less critical managed applications should be patched regularly, preferably in a semi-automated way. 

The outlier problems can be dealt with afterwards.

IT should pay the most attention to the unmanaged applications sprawling across the organisation’s environment –automatically patching them mercilessly.

These applications are not sanctioned by the business and pose a great risk because they often either get ignored or bypassed for policy enforcement.

Ideally, these applications should be removed from the wider IT environment and their deployment controlled by an enterprise App Store with stringent workflows for approvals.

This will largely mitigate the risk they pose to the business.

In the past, it was easy for IT departments to manage vulnerabilities and risks based on their degree of seriousness.

Now with the amount of data generated, security incidents are affecting business viability, market competitiveness and even the life of ordinary citizens.

Organisations need to implement an approach to patching that improves security and creates a seamless process to prevent the risk of a future attack.

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.