A proactive approach to cybersecurity includes ensuring all software is up-to-date across assets. This also includes applying patches to close up vulnerabilities. This practice minimizes risk, as it eliminates outdated software versions in the process. Does this make patching a catch-all cybersecurity solution?
While patching is an important component of cybersecurity, other security solutions and strategies must complement it. These include firewalls, antivirus software and employee security risk awareness training. Interestingly, the most recent X-Force Threat Intelligence Index reports that 26% of 2022’s vulnerabilities had known exploits. Data tracked from the early 1990s to the present shows the proportion of known exploits dropping in recent years, highlighting the effectiveness of well-maintained patch management processes.
The difference between vulnerability and patch management
Successful patch management begins with identifying vulnerabilities. This can seem like a tidal wave of potential compromises since they exist in nearly every piece of software. In 2022, the National Institute of Standards and Technology (NIST) reported more than 23,000 new vulnerabilities; of that number, it classified more than 17,000 as critical.
Security teams can’t always address vulnerabilities as soon as they discover them. As a result, many organizations are sitting on enormous vulnerability backlogs. A slow response means vulnerabilities will linger and leave organizations open to compromise. It’s important and possible to tackle vulnerability management. However, it’s not enough to simply identify vulnerabilities; organizations must also take steps to protect against them.
Patch management is a component of vulnerability management that provides organizations with an automated means to apply software patches issued by vendors to address security vulnerabilities. Automated patch management tools can surface available patches but don’t necessarily map the severity of known vulnerabilities. Patch management also requires defined policies and procedures to identify critical vulnerabilities, as well as a regular schedule to apply security patches.
Software industry security patching improvements
The software industry has made significant strides in recent years when it comes to issuing patches for security vulnerabilities. Larger companies have had to become more proactive in identifying and addressing vulnerabilities in their products. These companies have a variety of resources, which include formalized bug bounty programs, available to help speed the development of security patches. Process efficiencies and innovations help them respond more quickly. Customers responsible for applying these security patches to their systems aren’t always so fast to respond.
Critical vulnerabilities take an average of 60 days to remediate. This is significantly longer than the time it takes attackers to begin exploiting newly discovered vulnerabilities (typically 15 days). Attackers tend to take advantage of that gap between discovery and remediation. Since not all vulnerabilities are critical, it’s important to prioritize them based on their potential impact. Security teams can focus on patching the most severe vulnerabilities first, reducing the overall risk of compromise.
The cycle of vulnerability discovery, ranking and remediation is never-ending. Some automated patch management tools include patch analytics, which can shorten the overall time required to ensure patches are applied in a timely manner according to vulnerability severity.
Addressing software and equipment end-of-life
Knowing the state of all assets is an important aspect of risk management. Vulnerabilities can hide in older assets, increasing security risks to the environment. There may be times when software and equipment can no longer be patched. They may have reached end-of-life and are no longer supported by the vendor or are simply unable to be adapted to modern networking and security protocols. Attackers routinely exploit vulnerabilities in older, outdated software.
Ransomware infections from three to five years ago were still present in some older, unpatched equipment, as reported in the 2023 X-Force Threat Intelligence Index. These machines remained unaddressed long after the initial infection.
Depending on the software vendor, there are options available to protect software that has reached end-of-life. Some vendors may offer an extended warranty or something similar where software updates and security patches can continue for a specific period of time after the software reaches end-of-life. Of course, this isn’t a long-term solution. But it can give companies a little more time to explore other options available.
Unpatched assets which can no longer be updated pose additional risks to the organization. It’s important to assess the long-term risks associated with their continued usage. NIST recommends a regular review of these assets to ensure the integrity of the rest of the system. If replacement isn’t yet an option, segmenting or micro-segmentation of these unpatched assets from the rest of the network can provide some protection from potential compromise.
When mitigation methods don’t adequately address the risks of unpatched assets, replacement may be the only other option available. It’s important to regularly examine the cost-benefit analysis of continued mitigation versus completely replacing affected assets.
The future of vulnerability and patch management
Patching has become essential for cybersecurity. Successful patch management results in fewer exploitable vulnerabilities as part of a comprehensive vulnerability and patch management process. Vulnerability management is on track to become more manageable with CISA’s release of the Stakeholder-Specific Vulnerability Categorization (SSVC) system, which outputs machine-readable reports detailing vulnerabilities and severity that should help shorten the time for remediation. This new standardized approach helps organizations focus on the highest-severity vulnerabilities. The system is designed with automated tools in mind. Recent cybersecurity-focused legislation will also change how organizations approach vulnerability and patch management.
The recently issued Executive Order 14028, “Improving the Nation’s Cybersecurity,” includes requirements for a software bill of materials (SBOM) where specific information must be disclosed about the origins of various pieces of the product. Meant to provide greater transparency about dependencies and known vulnerabilities to protect the software supply chain, this requirement can be helpful outside of government software contracting. A complete SBOM can help organizations determine the long-term maintenance required for a software component that requires a lot of remediation over time or is especially attack-prone, given the kinds of vulnerabilities present.
Software vulnerabilities aren’t going away anytime soon, nor are the patches which secure them. Patch management will remain an essential part of cybersecurity. Future improvements to vulnerability management and more transparent disclosures in an SBOM — combined with software industry improvements through formalized bug bounty programs and other innovations — have the potential to significantly reduce the time required to remediate vulnerable software.