Malware exists to exploit vulnerabilities discovered in software. Patches exist to fix those vulnerabilities. So why do so many vulnerabilities remain unpatched? Why is patch management so complicated?

Sadly, security and IT professionals don’t live in a patch-everything-right-away fantasy land. Trade-offs and compromises are dictated by the conflicting priorities and interests within large organizations.

And people are people. Humans have cognitive biases that cause them to behave irrationally. The most dangerous of these biases is called hyperbolic discounting. People tend to choose smaller rewards now over larger rewards later. When offered a choice between avoiding patch-related headaches now and avoiding cyberattack-related headaches later, most people are drawn to the former. Bolstering this irrational choice is the false idea that “maybe we’ll get lucky and nobody will attack us.”

Not all patches are created equal. Some are urgent, others are not. Some require rebooting, others do not. Some can jam third-party applications, others cannot. The vagaries of complex systems and organizations, compounded by the irrationality of the human mind and variations in patches themselves, means that patch management is not an exact science — it’s an art.

Why Patch Management Is Indispensable

Patch management is an umbrella term for the process of knowing about, acquiring, testing, installing and following up on patches.

According to Accenture, cybercrime could cost businesses $5.2 trillion over the next five years. How much of that cost could be prevented by the massively lower cost of good patch management? Expert estimates on the number of new vulnerabilities revealed in 2018 ranged from 16,555 to 22,022. The exact number doesn’t matter; it’s a big number.

Patch management is necessary because of the sheer number and complexity of systems to be patched, variations in the patches themselves and the complexity of orchestrating downtime in big organizations full of divergent priorities.

Organizations often proceed with the false idea that security issues precede patches. In fact, it’s the reporting and patching of a vulnerability that often gives cybercriminals the information they need to create an exploit. WannaCry, for example, was created after the vulnerability it exploited had been “fixed” with a patch. (The patch only “fixes” if you deploy it.) Threat actors know that a huge percentage of organizations won’t patch in a timely manner, and that’s their window.

In other words, the availability of a patch makes security better for those who deploy the patch and worse for those who don’t.

The Myriad Challenges of Patch Management

Shockingly, just 27 percent of cybersecurity teams surveyed in a recent white paper from IDC and SolarWinds said that patch management is a strategy for defending against cyberattacks. And, according to Verizon, around 56 percent of reported vulnerabilities are not patched within 90 days of disclosure. What’s more, just 42 percent of small and midsize organizations automate or even have plans to automate patch management, according to a survey from Kaseya.

Why aren’t organizations patching everything? And why aren’t they automating?

I think the reason can be summarized as “patch fatigue.” There are simply so many patches to process. Microsoft has released more than 10,000 patches this year alone.

Then there’s the technical debt problem: IT has to make sure that applying a patch to one system won’t break another. Patch testing impacts the time, schedules and objectives of application owners and business users.

On the Art of Patch Management

Patch management is an art form because it requires prioritization, quality vulnerability assessment, soft people skills, creative thinking, awareness of the latest threats and even intuition born of experience. Here are some of the key elements of the art of patch management:

  • First thing’s first: Patching everything with the perfect procedures on the perfect schedule is unlikely, unless you have unlimited staff and budget. Thoughtful prioritization is a big part of the art of patch management. Prioritize the systems and functions that are most vital to your organization’s business and those that would cause the greatest harm in the event of an attack. An advanced vulnerability assessment tool or service can help you discover where the most threatening vulnerabilities are hiding.
  • Don’t exclude the people factor. Business users can have a bigger fear of patch-related downtime than the existential threat of catastrophe resulting from unpatched systems. For this challenge, culture is key. Never stop working on building a culture of perspective and collective ownership when it comes to mitigating security risk.
  • Next, clearly agree on who does what with clear rules of ownership. Communicate service-level agreements (SLAs) and responsibilities. Right-size ownership for your organization, but be clear and communicate.
  • You also need to sweat the small stuff. It’s tempting to focus on servers and workstations, but don’t forget about internet of things (IoT) devices such as office equipment (e.g., printers), security equipment (e.g., cameras) and network devices (e.g., network-attached storage). You still have to focus on legacy systems. Cloud resources need to be patched, too. Think of every system in the organization in terms of patchable elements — for example, think of a server as many patchable things: firmware, OS and every application installed.
  • Communicate needs and foster an environment of collaboration among teams. Track and record the effectiveness of patch management and use that information to communicate risk mitigation so everyone understands why it’s worth the time and money.
  • Another crucial piece of effective patch management is a simple and consolidated approach. Automate as much as you can, but don’t expect to automate everything. Find the best patch management solutions, which will help you keep a database of the hardware, software and middleware updates that are available. These will either update automatically or alert users that they need to be implemented manually. Crucially, a solution should alert admins about all unpatched software in the organization. Minimize the number of tools you’re using, investing in a smaller number of solutions that each do more patch management tasks across the greatest number of platforms.
  • Be mindful of unintended consequences. You’ll need to keep a handle not only on existing software vulnerabilities, but also vulnerabilities resulting from software dependencies.
  • Always pay attention to timing. For example, never update firmware and software at the same time. And don’t forget: You’re a business. Patching and rebooting needs to be compatible with user and department schedules, and therefore needs to be carefully timed or scheduled.
  • Watch out for the risks that arise from the mitigation of risks. Patches need to be tested beforehand, and even patches that pass testing need the insurance policy of having a roll-back plan in place in case things go awry.
  • Finally, remember to keep your patch management tools themselves up to date.

Yes, patch management is an art. And you’re the artist. Start implementing the key steps above to turn your patch management system into a masterpiece.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today