Patch Management: Focus on the Risk
— March 15th, 2022
If ever there was a time to consider an effective patch management strategy, world events currently unfolding in Eastern Europe suggest that one of those times could well be right now.
Since Vladimir Putin launched Russia's invasion of Ukraine last month, there have been many warnings of imminent Russian cyberattacks. See previous blog, Russian Invasion of Ukraine Could Mean Increase in Cyber Attacks.
Like many things concerning IT and corporate security, differing opinions about which patch management strategy is most effective can quickly result in enough friction to slow actually getting things done.
We’re of the mind that a risk-based approach to vulnerability management represents the most effective strategy by which to guide patch management efforts.
By focusing upon which vulnerabilities pose the greatest potential impact, have the highest levels of activity, etc., relevant stakeholder teams can center their attention, prioritize and coordinate efforts.
The sheer scope of existing vulnerabilities alone suggests the need for risk-based identification and prioritization. “It's impossible for IT and security teams to patch everything under the sun, so they must prioritize. Plus, not every vulnerability is alike; in fact, less than 10% have known exploits. IT and security teams should not try to patch every little thing. Rather, they should patch based on impact and active threat context.
Today, there are 200,000 unique vulnerabilities, and 22,000 of those have patches. Yet out of the 25,000 vulnerabilities being weaponized via exploits or malware, only 2,000 have patches. This means that IT and security teams can immediately ignore the other 20,000 patches,” according to 2Dark Reading, "Patch Management Today: A Risk-Based Strategy to Defeat Cybercriminals".
Emphasizing the focus that teams can derive from risk-based patch management strategy, the Dark Reading article goes on to give solid numerical context to a practical example: “…organizations must identify the weaponized vulnerabilities that pose the highest risk.
"Let's say 6,000 of the weaponized vulnerabilities are capable of remote code execution, and 589 patches are available. But out of those 6,000 weaponized vulnerabilities, only 130 are actively trending, meaning attackers are saying in the wild that they will attack those vulnerabilities. And for those 130 trending vulnerabilities, 68 patches are available. IT and security teams must prioritize implementing those 68 patches.”
By focusing patching efforts to align with the greatest risk exposures and, where relevant, by combining risk-based strategy to support patch automation, stakeholder teams can more quickly remediate threats of greatest potential impact to the organization, while more quickly minimizing time windows in which threats are active.