May 18, 2023 By Michelle Greenlee 4 min read

A proactive approach to cybersecurity includes ensuring all software is up-to-date across assets. This also includes applying patches to close up vulnerabilities. This practice minimizes risk, as it eliminates outdated software versions in the process. Does this make patching a catch-all cybersecurity solution?

While patching is an important component of cybersecurity, other security solutions and strategies must complement it. These include firewalls, antivirus software and employee security risk awareness training. Interestingly, the most recent X-Force Threat Intelligence Index reports that 26% of 2022’s vulnerabilities had known exploits. Data tracked from the early 1990s to the present shows the proportion of known exploits dropping in recent years, highlighting the effectiveness of well-maintained patch management processes.

The difference between vulnerability and patch management

Successful patch management begins with identifying vulnerabilities. This can seem like a tidal wave of potential compromises since they exist in nearly every piece of software. In 2022, the National Institute of Standards and Technology (NIST) reported more than 23,000 new vulnerabilities; of that number, it classified more than 17,000 as critical.

Security teams can’t always address vulnerabilities as soon as they discover them. As a result, many organizations are sitting on enormous vulnerability backlogs. A slow response means vulnerabilities will linger and leave organizations open to compromise. It’s important and possible to tackle vulnerability management. However, it’s not enough to simply identify vulnerabilities; organizations must also take steps to protect against them.

Patch management is a component of vulnerability management that provides organizations with an automated means to apply software patches issued by vendors to address security vulnerabilities. Automated patch management tools can surface available patches but don’t necessarily map the severity of known vulnerabilities. Patch management also requires defined policies and procedures to identify critical vulnerabilities, as well as a regular schedule to apply security patches.

Software industry security patching improvements

The software industry has made significant strides in recent years when it comes to issuing patches for security vulnerabilities. Larger companies have had to become more proactive in identifying and addressing vulnerabilities in their products. These companies have a variety of resources, which include formalized bug bounty programs, available to help speed the development of security patches. Process efficiencies and innovations help them respond more quickly. Customers responsible for applying these security patches to their systems aren’t always so fast to respond.

Critical vulnerabilities take an average of 60 days to remediate. This is significantly longer than the time it takes attackers to begin exploiting newly discovered vulnerabilities (typically 15 days). Attackers tend to take advantage of that gap between discovery and remediation. Since not all vulnerabilities are critical, it’s important to prioritize them based on their potential impact. Security teams can focus on patching the most severe vulnerabilities first, reducing the overall risk of compromise.

The cycle of vulnerability discovery, ranking and remediation is never-ending. Some automated patch management tools include patch analytics, which can shorten the overall time required to ensure patches are applied in a timely manner according to vulnerability severity.

Addressing software and equipment end-of-life

Knowing the state of all assets is an important aspect of risk management. Vulnerabilities can hide in older assets, increasing security risks to the environment. There may be times when software and equipment can no longer be patched. They may have reached end-of-life and are no longer supported by the vendor or are simply unable to be adapted to modern networking and security protocols. Attackers routinely exploit vulnerabilities in older, outdated software.

Ransomware infections from three to five years ago were still present in some older, unpatched equipment, as reported in the 2023 X-Force Threat Intelligence Index. These machines remained unaddressed long after the initial infection.

Depending on the software vendor, there are options available to protect software that has reached end-of-life. Some vendors may offer an extended warranty or something similar where software updates and security patches can continue for a specific period of time after the software reaches end-of-life. Of course, this isn’t a long-term solution. But it can give companies a little more time to explore other options available.

Unpatched assets which can no longer be updated pose additional risks to the organization. It’s important to assess the long-term risks associated with their continued usage. NIST recommends a regular review of these assets to ensure the integrity of the rest of the system. If replacement isn’t yet an option, segmenting or micro-segmentation of these unpatched assets from the rest of the network can provide some protection from potential compromise.

When mitigation methods don’t adequately address the risks of unpatched assets, replacement may be the only other option available. It’s important to regularly examine the cost-benefit analysis of continued mitigation versus completely replacing affected assets.

The future of vulnerability and patch management

Patching has become essential for cybersecurity. Successful patch management results in fewer exploitable vulnerabilities as part of a comprehensive vulnerability and patch management process. Vulnerability management is on track to become more manageable with CISA’s release of the Stakeholder-Specific Vulnerability Categorization (SSVC) system, which outputs machine-readable reports detailing vulnerabilities and severity that should help shorten the time for remediation. This new standardized approach helps organizations focus on the highest-severity vulnerabilities. The system is designed with automated tools in mind. Recent cybersecurity-focused legislation will also change how organizations approach vulnerability and patch management.

The recently issued Executive Order 14028, “Improving the Nation’s Cybersecurity,” includes requirements for a software bill of materials (SBOM) where specific information must be disclosed about the origins of various pieces of the product. Meant to provide greater transparency about dependencies and known vulnerabilities to protect the software supply chain, this requirement can be helpful outside of government software contracting. A complete SBOM can help organizations determine the long-term maintenance required for a software component that requires a lot of remediation over time or is especially attack-prone, given the kinds of vulnerabilities present.

Software vulnerabilities aren’t going away anytime soon, nor are the patches which secure them. Patch management will remain an essential part of cybersecurity. Future improvements to vulnerability management and more transparent disclosures in an SBOM — combined with software industry improvements through formalized bug bounty programs and other innovations — have the potential to significantly reduce the time required to remediate vulnerable software.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today