There are three major players when it comes to patch management: security analysts, IT professionals, and attackers. And unfortunately, there is usually a lot of friction between the security and IT teams, preventing them from successfully defending against the attackers. This leads to an asymmetric threat where an attacker only needs to know one weakness or vulnerability to be successful, while the defenders must know every weakness or vulnerability to defend themselves.
Security analysts are continually triaging and responding to cybersecurity threats and attacks. They often navigate across multiple security tools and threat resources to assess and understand risk, usually while under pressure to address a security incident. They stay on top of threat intelligence, government alerts, and security events that could affect the organization negatively.
Meanwhile, IT teams are tasked with system availability and responsiveness, making them hesitant to implement patches unless priority risk can be communicated. They must balance the need for continuous uptime with the need for implementing security patches that are unplanned and could negatively affect system performance and reliability if not tested or vetted. These professionals also often work in silos, managing IT maintenance and risk for their domains of responsibility.
And then there are the threat actors, who take advantage of these organizational security gaps to launch sophisticated attacks at scale. They are increasingly leveraging cybercrime-as-a-service to achieve maximum impact. For example, Conti is one of the largest ransomware gangs today, operating under a ransomware-as-a-service model. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently observed the increased use of Conti ransomware in more than 400 attacks on US and international organizations.
To win the war against ransomware and effectively defend against cybercrime, security and IT teams must work together. They must unite in a common purpose to fight the attackers. They must collaborate to pick all low-hanging fruit and reduce the time to patch, making it so hard for the attackers that they give up and move on to other targets.
This is where the concept of risk-based vulnerability management came into play. It’s impossible for IT and security teams to patch everything under the sun, so they must prioritize. Plus, not every vulnerability is alike; in fact, less than 10% have known exploits. IT and security teams should not try to patch every little thing. Rather, they should patch based on impact and active threat context.
Today, there are 200,000 unique vulnerabilities, and 22,000 of those have patches. Yet out of the 25,000 vulnerabilities being weaponized via exploits or malware, only 2,000 have patches. This means that IT and security teams can immediately ignore the other 20,000 patches.
From there, organizations must identify the weaponized vulnerabilities that pose the highest risk. Let’s say 6,000 of the weaponized vulnerabilities are capable of remote code execution, and 589 patches are available. But out of those 6,000 weaponized vulnerabilities, only 130 are actively trending, meaning attackers are saying in the wild that they will attack those vulnerabilities. And for those 130 trending vulnerabilities, 68 patches are available. IT and security teams must prioritize implementing those 68 patches.
Top industry leaders, practitioners, and analyst firms recommend a risk-based approach to identify and prioritize vulnerability weaknesses and then accelerate remediation. The White House recently released a memo encouraging organizations to use a risk-based assessment strategy to drive patch management and bolster cybersecurity against ransomware attacks.
In conclusion, organizations must focus on patching the highest risk exposure. To do this, organizations need insight about every patch and the associated vulnerabilities that are exploitable, weaponized, and have ties to ransomware. By leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence, organizations can ensure patches are prioritized based on risk of threats.
Part 1 of this series is here. Part 3 of this series — scheduled for Friday, Jan. 14 — will look at where patch management is headed.