How and when it got so complicated

How and when it got so complicated

If you look at the past, patch management was not a cybersecurity issue; it was more of a computer problem. And it wasn’t until the emergence of Code Red in 2001 that Microsoft began releasing patches to fix security vulnerabilities in its software. Patch management as a security came back to the fore with the massive internet worms of 2009, 2011 and 2012, including WannaCry in 2017, which would shock entire corporate networks. These incidents would pave the way for the widespread adoption of regular patch management cycles among organizations. Until then, there had been only sporadic security incidents, but nothing on a large scale where you would see viruses and malware spreading across geographies.

As these large-scale attacks that infected entire networks across geographies became more common, the industry turned to developing a system to catalog and track these vulnerabilities. The first, created in 1999, was first used by US federal agencies on the recommendation of the National Institute of Standards and Technology, which published the “Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme” in 2002 , then updated in 2011. However, its large-scale use only took place in 2011, with the development of the first National Vulnerability Database (NVD).

NVD, which serves as a comprehensive cybersecurity vulnerability database that integrates all publicly available US government vulnerability resources, provides references to industry resources. It is synchronized and based on the CVE list, which uses a scoring system to assess the severity of the risk. NVD has become an effective tool for security organizations to track vulnerabilities and determine which ones to prioritize based on their risk score.

Beginning in 2011, patch management began to evolve into an industry-wide security best practice. However, as the volume of vulnerabilities in the database continued to increase and the complexity of the IT infrastructure increased, patch management would become a difficult task. It’s not always as easy as updating software. Some systems are critical and cannot afford downtime. Some organizations don’t have the dedicated resources in budget or talent to test, deploy, and install patches on a regular basis.

The creation of NVD was an important first step in vulnerability and patch management for the industry. Yet two emerging issues would lead to the complications the industry experiences today with patch management. The first problem is time. There will always be latency. Once an attacker, researcher, or company identifies a vulnerability, time is running out. It’s a race against time, from the time a vulnerability is revealed until a patch is released and then applied, to ensure that the vulnerability is not exploited by a bad actor. The latency was 15 to 60 days in the past. Today we are just a few weeks away.

But not all vulnerabilities have a solution. There is a common misconception that every vulnerability can be patched, but this is not the case. Data shows that only 10% of known vulnerabilities can be covered by patch management. This means that the remaining 90% of known vulnerabilities cannot be patched, leaving companies with two choices: either modify the compensation control or fix the code.

The second problem is the fact that NVD has been essentially militarized by bad actors. Although it was designed to help organizations defend themselves against malicious actors, the same tool in a short period of time would be used to launch offensive attacks. In the past five years alone, threat actors have improved their offensive skills through automation and machine learning. Today, they can quickly and easily find unpatched systems, based on the vulnerability data in the NVD. The rise of automation and machine learning has enabled threat actors to quickly determine which software versions are used by an organization to determine what still needs to be fixed by cross-checking with NVD.

Now we have asymmetric warfare: Organizations try to stay on top of patch management to make sure every vulnerability is patched, and bad actors look for the vulnerability that hasn’t been patched yet. It all comes down to a missing patch. That’s all it takes for a security incident. That’s why patch management is now a mandatory part of an organization’s security component, not just an IT department’s responsibility.

Today, patch management is a mandatory practice to demonstrate compliance with security regulations. It is also a requirement for cyber insurance. With the increase in ransomware, including critical hospital systems that could mean life or death, patch management is under scrutiny, and rightly so. Yet IT and security teams are overworked and unable to cope with the task. It is not humanly possible. Industry needs to find a new approach – automating patch management – which will be covered in Part 2 of this patch management series.

The second part of this series is expected to be released on Wednesday, January 12.

Leave a Comment

Your email address will not be published. Required fields are marked *