Patching & Vulnerability Management
Beyond Patching: The Need for Vulnerability Management
If something is wrong, fix it. That’s the basic premise behind patching in the IT industry. A bug or other issue is discovered in an application or software. A patch to fix it is released. You apply the patch. Problem solved and potential disaster ─ such as a ransomware attack ─ is avoided. But is patching sufficient for protecting IT systems against the ever-increasing number of IT vulnerabilities that cybercriminals can exploit?
When and What to Patch
As we all know, there are a lot of issues that arise in applications and software. Consequently, a lot of patches are released. Some of the patches deliver new features or product updates, but many are intended to close newly identified security holes. In fact, organizations such as Adobe and Microsoft release so many patches for their products that they’ve formalized a regular time for them ─ “Patch Tuesday”, which occurs on the second Tuesday of each month in North America. (Additional releases are made throughout the month as needed.)
But it’s not enough to rely on patch release dates from the big software vendors as the driver for when to patch ─ or what to patch. Not all patches may be necessary for a variety of reasons. Or they may not require as urgent of handling as others. Plus, patching isn’t where the battle against software bugs and other issues ends. It’s part of a much broader security endeavor – vulnerability management.
A Broader Approach to Vulnerabilities
Vulnerability management is a holistic approach to identifying, prioritizing, remediating and reporting on security vulnerabilities. While the framework and processes can vary based on organizations’ business requirements and other factors, the following provides a brief overview of the various aspects of vulnerability management.
- Policies and processes. Vulnerability management starts with setting policies and processes, many of which will be dependent on the components described in the bullets that follow. This includes defining the scope and identifying and documenting what’s covered, such as network infrastructure, servers, operating systems, virtual machines, etc. (See asset management.) It also entails determining the frequency of vulnerability scans.
In addition, the policies and procedures establish roles and responsibilities, incident response workflows, and reporting, monitoring and measurement processes. Change management, configuration management and compliance requirements are also important components.
- Asset management. Protecting IT environments requires visibility into them. That’s why an inventory of all IT assets, including authorized and unauthorized devices and software, is essential. Each asset should be assessed for factors such as system availability, user access, and physical or logical connection to other assets to determine if protection is required and the level of protection needed. This helps in prioritizing vulnerabilities and fixes, remediating issues, and communicating with stakeholders.
- Vulnerability scanning. Vulnerability scanning is an automated activity that relies on a database of known vulnerabilities such as CVE/NVD. Scans are run on networks, endpoints, and applications to identify weaknesses and bugs.
There are two basic types of scans: external or internal. Internal scans are carried out from inside an organization’s perimeter defense. External scans are performed from outside their network perimeter. External scans are especially important for cloud-hosted assets because misconfigured and insecure deployments of databases and other services in the cloud are common occurrences.
Vulnerability scanning is often mandated by industry standards and government regulations. For example, the Payment Card Industry Data Security Standard (PCI-DSS) requires external and internal vulnerability scans to be run quarterly, as well as every time new systems or components are installed, the network topology changes, firewall rules are modified, or various software products are upgraded.
Vulnerability scans can be run in-house using any number of scanning tools, or outsourced. One of the advantages of outsourcing is that companies offering scanning services are more likely to have the most up-to-date software and technologies to ensure a thorough scan, identify holes and weaknesses, and provide the best recommendations and solutions.
- Scan results evaluation. The output of a vulnerability scan is typically a list of the vulnerabilities found and identified by their Common Vulnerabilities and Exposures (CVE) designation. The Common Vulnerability Scoring System (CVSS) rates the criticality of CVEs from 1 (less critical) to 10 (most critical) based on type of attack, level of access required, and other factors.
Unfortunately, the scoring system doesn’t consider which vulnerabilities could affect a particular organization the most and require more immediate attention than others. That means someone must evaluate and triage the identified vulnerabilities, and determine:
- How critical the vulnerability is and what effects it could have on the organization if it were to be exploited
- How easy and/or practical it is for a cybercriminal to exploit the vulnerability
- Which, if any, existing security controls could reduce the risk of the vulnerability being exploited
- If the vulnerability is a “false positive” and can be ignored
For companies that lack the internal expertise and resources, it’s worthwhile to opt for a third-party company that specializes in IT security to analyze the scan results. For example, US Signal offers SOC Analysis as an add-on to its Vulnerability Management as a Service (VMaS). The SOC Analysis service provides with a detailed assessment of the information generated by the vulnerability scans, along with recommendations for remediating, mitigating, and eliminating the security vulnerabilities based on IT security best practices.
- Remediation. Once vulnerabilities are prioritized, they can be dealt with – typically by patching, blocking or discontinuing use of the asset. The patching process can be time consuming. It requires testing, applying and verifying each patch. Many organizations opt to use automated patch installation or outsource the responsibility.
At US Signal, patch management is offered for Windows OS and a wide variety of third-party applications from most of the big-name vendors. Both manual and automated installation are available, based on policies defined and created between the customer and US Signal during the onboarding process.
- Penetration testing. Vulnerability scanning should be complemented with penetration testing. Penetration testing (or pen testing) is a simulated cyberattack in which professional ethical hackers break into corporate networks to find weaknesses before attackers do. A penetration test shows how damaging a flaw could be in a real attack.
- Tracking, metrics and reporting. While various tools and methods can be used for tracking and reporting, it’s the actual metrics that are key to assessing the success of a vulnerability management program. As with other elements of vulnerability management, the metrics will be dictated largely by an organization’s business needs. Common ones include:
- Time to Detect - the average time that passes between the creation and detection of a vulnerability.
- Time to Resolution - the average time it takes to find a resolution to a vulnerability.
- Time to Mitigation - the average time it takes to alleviate the attack.
- Risk by business unit or asset group - the risk level that each business unit or asset group of your organization faces due to vulnerabilities.
- Vulnerability assessment. Vulnerability and IT security assessments look beyond vulnerabilities only related to specific technologies or assets. For example, an organization may be vulnerable to ransomware attacks and other cybercrime because it has a weak password policy or doesn’t sufficiently train employees on avoiding phishing scams.
Assess Your Vulnerabilities
With cybercriminals becoming bolder and their attacks more frequent and costly, it’s important to take a proactive approach to protecting your IT assets. Patching is a start – an important one. But a vulnerability management program will provide more comprehensive protection. US Signal offers a variety of products and services that can help, along with recommendations and guidance to ensure the processes and technologies you put in place best meet your organization’s needs.
Call 866.2. SIGNAL or email [email protected].