Detection and Response
Software Patch Management Policy Best Practices
Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization.
Save to Folio
Cybersecurity Awareness Month 2022 Series
In today’s digital-first world, organizations cannot overlook the critical importance of a sound patch management policy practice. According to Identity Theft Resource Center’s 2021 Annual Data Breach Report, there were 1,862 confirmed compromises, up by more than 68% from 2020. Of these breaches, the 2022 Data Breach Investigation Report determined that those caused by vulnerabilities more than doubled from last year up to 7%.
But navigating the sheer number of vulnerabilities and patches available is overwhelming. In 2021,the Trend Micro™ Zero Day Initiative™ publicly disclosed 1,543 vulnerabilities and 68% of those categorized as critical or high severity. On top of that, vendors are (rightfully) sending patches out to clients every day, further inundating companies with a growing list of vulnerabilities to address.
What does a successful patch management policy strategy look like? It starts with a risk-based approach to stay up-to-date with new vulnerabilities while preventing bottlenecks in security workflows.
These top five patch management policy best practices can help organizations create a strong defense program against vulnerability exploitation.
1. Identify Which Patches Are Most Relevant
Of the 28,000 CVEs published by MITRE last year, it’s unlikely that a single organization – even the most sophisticated – would find every one applicable to their business. To cut through the noise of constant updates, security teams must identify which patches are the most relevant to their organization’s daily operations.
Organizations should start by only focusing on the bugs relevant to the application systems they use in-house. From that point, security teams can work to identify which of those bugs are being actively exploited and which are part of the business’s critical infrastructure. These are the key vulnerabilities to hone in on – the ones that could pose significant harm to your organization.
The next is to identify those applications and/or operating systems that have actively exploited vulnerabilities in-the-wild. A good resource is the CISA Known Exploited Vulnerability catalog that lists out these vulnerabilities. Also, any vulnerabilities that have a public proof of concept (POC) which we’ve seen weaponized by malicious actors.
An important part of this stage is gaining full visibility into an organization’s entire footprint. With businesses of any size, old applications, networks, systems, devices, and servers can go undetected. This opens a range of possibilities for malicious actors to exploit vulnerabilities that organizations didn’t even know applied to them.
2. Make A Zero-Day Plan for When, Not If
Eighteen zero-day exploits have already been used in the first half of 2022 and half of these zero-day exploits are variants of bugs that were previously identified. Today’s malicious actors are growing more innovative, with many now analyzing recommended patches and finding vulnerabilities within these patches themselves.
Moreover, zero-day exploits are extremely lucrative for threat actors. Investigative journalist Brian Krebs recently reported that a Google Chrome zero-day exploit sold for a staggering $2M. As such, zero-day vulnerabilities will always be a matter of when not if.
Zero-days are difficult to defend against due to their very nature; they’re new vulnerabilities that can shift and evolve at any time. As a result, organizations may have an exploitable bug in their network without even knowing it.
Consistent monitoring for suspicious activity inside of networks is a must for defense against zero-day exploits. Staying up to date with bug bounty programs that leverage global threat intelligence, such as the Zero Day Initiative, is an ideal way to monitor these bugs and gain insight into public patches to fix vulnerabilities. Security leaders and decision makers can use the report Quantifying the Public Vulnerability Market: 2022 Edition by Omdia Research for more insights into leading bug bounty programs.
3. Communicate with Vendors
Today, organizations can invest in SaaS versions of applications, meaning vendors can automatically apply patches and updates to software without needing action or authorization. But patches are made by people, and people are subject to human error. Sometimes, even a good patch can temporarily take a system down. For businesses that operate on a 24/7 basis, this can incur huge opportunity costs.
To prevent potential issues with automated patching, organizations should communicate with their vendors about the possibility of rollbacks to previous versions of software. Rollbacks can also be useful in situations similar to the 2021 SolarWinds breach, where new updates are rolled out but infected. Additionally, businesses should ask if these rollbacks can be done in an automated way or if they will need to roll-back a real patch manually.
4. Utilize Virtual Patching
Unlike manual patching, virtual patching is a short-term implementation of actual patches made for known vulnerabilities. Virtual patches can be applied without having to reboot systems, making them great interim substitutes while waiting for a vendor patch to be released. Think of it like applying heavy-duty plumbing tape to a leaky pipe while waiting for the plumber to replace it entirely.
Virtual patches can work for organizations in several ways:
- They allow organizations the time to perform QA and ensure that the potential patch works.
- They’re a helpful tool for businesses to determine which patches to deploy without remaining vulnerable.
- They offer a solution to protect operating systems that are unsupported by vendors, but still necessary for business operations.
Operational technologies (OT) are a prime case for virtual patching. Frequently untouched and unsupported for sometimes upwards of 20 years, OT systems are a growing target for malicious actors. Gartner predicts that threat actors will weaponize OT environments for commercial harm and reputational vandalism by 2025. Leveraging network-based virtual patches can provide a strong level of protection for these increasingly common attack vectors.
5. Share Benefits with Stakeholders
A cybersecurity program is only as strong as an organization’s belief in it. When it comes to communicating with stakeholders about instituting a patch management policy strategy, the emphasis is all on risk. Exploited vulnerabilities have an extremely high chance of risk compromise. As businesses continue to grow their footprints with more software and hardware, so will the potential for a malicious attack.
These attacks are never without consequences. Research from IBM’s 2021 Cost of a Data Breach Report revealed that data breach costs in 2021 rose from USD$3.86M to $4.24M – the highest average total cost in the history of the report.
Cybersecurity is a significant investment, but the cost of not investing is even greater. Vulnerability exploits will continue to increase each year, so organizations should focus on developing a sound patch management policy strategy to build a strong foundation for their cybersecurity practices, which helps take them to the next level.
Stay Ahead of Vulnerability Exploits with Efficient Patch Management Policy
Today’s malicious actors are always looking for new and emerging vulnerabilities to exploit. With the sheer volume of patches released each day, organizations must make strategic decisions on which patches to prioritize based on their unique needs.
Defend your organization from the vulnerability exploits of tomorrow by adopting a patch management strategy that empowers your organization to take control and mitigate cyber risk across the enterprise.
Better yet, consider a vendor with a unified cybersecurity platform that leverages global threat intelligence into zero and n-day vulnerabilities and virtual patching. A platform removes visibility and data siloes between disparate point products, enabling security teams to discover, assess, and prioritize vulnerable systems across your IT infrastructure.
To learn more about the Zero Day Initiative and cyber risk management, check out these resources: