Story image

Three key steps to improving security patching

26 Nov 18

Article by Flexera A/NZ sales director Hugh Darvall

In a world where everything seems to be urgent, managing and prioritising security risks associated with patching can be a pain point for enterprises with a lack of visibility into their systems and questions around which department is responsible for guaranteeing software security.

The key priority for an operations team is the security endpoints whereby uptime and user satisfaction needs to be guaranteed.

However, this often suffers when reboots and application restarts are undertaken when deploying patches.

Adding to the complications, resource constraint means it’s tough to minimise risk and determine a holistic, multi-departmental collaboration focused on specific risk policies and profiles.

Unfortunately, compliance pressure doesn’t help either, as more often than not it ends up being just a checkbox rather than a mechanism for improving security.

While the bare minimum is undertaken very reluctantly to satisfy the auditors, there’s still a significant amount of fire drill and distraction from the daily grind.

Off the back of this, many IT departments only patch the top software applications such as Microsoft, Adobe and browsers, which allows them to demonstrate that the business is compliant while satisfying the security needs of the organisation.

In reality, however, this way of thinking is a misconception that leads to a reduced security posture and an unnecessarily high risk for a breach, costing businesses on average $2.5 million each time.

Flexera’s new Vulnerability Review report highlights that realistically, the vast majority of vulnerabilities are found in applications from vendors outside the top brands, leaving enterprises at high risk of a data breach.

IT professionals should consider a three-pronged approach with a vulnerability risk management programme including visibility, prioritisation and automated remediation:

Visibility of patching needs

Firstly, IT departments need to understand what applications are running in the endpoints that require security mitigation – for example, patch or compensating control.

Approaching this from a pure software inventory perspective is a mistake because it takes time that nobody has.  

Instead, they should undertake a proper, risk-based assessment of the patching needs by automatically correlating the installed applications’ exact versioning data with known documented vulnerabilities that have been vetted and curated. 

This process will reduce false positives and let security professionals rank vulnerabilities in terms of risk to the business.

Prioritisation

It’s extremely important that IT departments use a risk-scoring system that helps them move fast to remediate the highest-risk vulnerabilities first.

Risk controls vary from organisation to organisation. 

But at a minimum, teams should evaluate vulnerability criticality, affected asset sensitivity and pervasiveness of the vulnerable software.

With these three elements considered, IT can exercise judgement on where to concentrate efforts to achieve the most effective outcome.

Automated remediation

Some organisations are adamant about testing all the applications that get deployed to their end users. 

Others simply prioritise fast security roll-ups and publish every patch needed as soon as it’s released by the vendor.

However, the middle ground is the most effective.

Some managed applications (i.e. those sanctioned by the organisation) are more critical than others because some may run critical business processes. 

The most critical applications should be thoroughly tested before mass deployment.

The other less critical managed applications should be patched regularly, preferably in a semi-automated way. 

The outlier problems can be dealt with afterwards.

IT should pay the most attention to the unmanaged applications sprawling across the organisation’s environment –automatically patching them mercilessly.

These applications are not sanctioned by the business and pose a great risk because they often either get ignored or bypassed for policy enforcement.

Ideally, these applications should be removed from the wider IT environment and their deployment controlled by an enterprise App Store with stringent workflows for approvals.

This will largely mitigate the risk they pose to the business.

In the past, it was easy for IT departments to manage vulnerabilities and risks based on their degree of seriousness.

Now with the amount of data generated, security incidents are affecting business viability, market competitiveness and even the life of ordinary citizens.

Organisations need to implement an approach to patching that improves security and creates a seamless process to prevent the risk of a future attack.

Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.