Limitations of Traditional Patch Management

Patch management approaches have long been a manual process, which lead to reactive, siloed, technology dependent methods and lack business alignment. This article, which is an extract from the report "Beyond Patching: Redefining Cybersecurity Strategies for Effective Risk Mitigation", explores how it is important for Cybersecurity, IT, Engineering, DevOps, etc. teams to focus on remediation of business risk for patch management to be successful, which is often not the case.

It makes sense to have an enterprise-wide patch management policy and service level agreements (SLAs) based on vulnerability tiers.

Key metrics such as vulnerability count broken down by tiers, aging and mean time to remediate can be common as well. However, the toolsets used for vulnerability scans and the reporting needs are different for the different teams mentioned above, which is not always considered.

Critical Gaps Impacting Patch Planning and Execution Are:

• Improper asset management
  • Gaps in asset discovery
  • Lack of insight (asset criticality, data stored by the asset, asset owner etc.)
• Inadequate risk qualification due to lack of contextual awareness
  • Poor understanding of asset exposure (Public, internal, segmented etc.)
  • Roles, entitlements and privileges associated with the asset not clear
  • Failure to recognize how existing compensating controls contributes to the context of a risk-centric approach.
  • Access to sensitive data not considered in traditional vulnerability management approaches
• Threat analysis:
  • Exploit availability and trend
  • Ease of exploitation (Authentication bypass, remote code execution)

The above challenges added to the ever-increasing list of critical and high vulnerabilities create additional challenges with patching. Technical functions tasked with patching should focus on business risk remediation measures for gradual advancement such as:

• Prioritizing known high risk vulnerabilities such as CISA – KEV
• Decommissioning inactive assets
• Reducing public exposure
• Deploying compensating controls (e.g., disabling legacy protocols, remote access etc.)

Towards a Risk-Centric Approach

In contrast to traditional approaches that focus only on identifying and remediating vulnerabilities without considering context, a risk centric approach aligns cybersecurity philosophy with the organization's risk tolerance and business initiatives. Moving an enterprise toward a risk-centric approach for vulnerability management is a strategic shift that enables organizations to prioritize their remediation efforts based on the potential impact of vulnerabilities on business initiatives.

This assumes a cyber program aligns overall objectives with a risk-based framework, regardless of the model/framework, and a business impact analysis is represented in some capacity. Keep in mind there is a “cost” associated with remediating every vulnerability. Also, for every vulnerability that is remediated, a decision is made to not remediate other vulnerabilities. This approach seeks to provide guidance and the framework for arriving at these decisions.

Using this philosophy, not all vulnerabilities are equal, meaning that they all do not present the same level of risk to an organization. Some vulnerabilities may be trivial or have minimal impact if exploited, while others may lead to significant financial losses, reputational damage, or regulatory non-compliance and potential enforcement actions.

Additionally, some vulnerabilities are either not actively exploited, not able to be exploited and may be only considered “proof of concept.” Therefore, instead of attempting to remedy every discovered vulnerability, organizations may consider prioritizing vulnerabilities based on their potential impact and their exploitability on critical business functions.

To discover what the key considerations are for a Risk-Centric Approach to Vulnerability Management, download the full report today.