Story image

Patching: Reducing the gap between exposure and remediation

15 Nov 2019

Article by Ivanti APAC presales area vice president Andrew Souter

Patch management is crucial for any size business.

However, it is still one of the areas every organisation claims to have under control, yet the number of daily incidents we see about data breaches related to vulnerability exposure seems to increase each quarter.

Costs associated with cleaning up a data breach far outweigh the costs of good prevention software and procedures.

High-profile exposure

The WannaCry ransomware attack which stormed the world in mid-2017 was one of the most prominent, affecting more than 200,000 companies in over 150 countries.

There are reports that state WannaCry has cost organisations upwards of US$4billion.

That’s a huge amount of money for something that could have been prevented simply by following good patch management practices.

WannaCry used an exploit called EternalBlue, which exploited Microsoft’s implementation of the SMB protocol.

That means it affected almost every Windows operating system available.

Now here’s the issue—Microsoft had issued a software patch to resolve the vulnerability on March 14, 2017, two months prior to the outbreak.

Yes, it could have been prevented by applying a single patch.

So why wasn’t the patch deployed?

While 200,000 represents a large number of companies affected, the fact is that many did deploy the patch.

But what about those infected?

On average, it takes an organisation 90-120 days to deploy a patch to their devices, which is too big a gap between a patch being released and it being deployed.

There are usually a number of factors mentioned when organisations justify why patches aren’t deployed in a timely fashion.

One of the reasons might be the staff shortage to help test and deploy patches. 

The greatest challenge is dealing with the vast amount of vulnerabilities that are discovered and finding a way to zero in on the relevant ones for your organisation.  

According to the National Vulnerability Database (NVD), there were more than 16,000 CVEs (Common Vulnerabilities and Exposures) in 2018.

Sifting through to determine what needs to be deployed can become an overwhelming task for an organisation of any size.

Ways to reduce the patch gap

Most large organisations have a security team whose job is to protect the environment at all costs.

They scan the network for vulnerabilities and report these back to the operations team in the form of a list of CVEs.

The operations team, tasked with keeping the organisation running smoothly, must take that list and try to work out which patches resolve which CVE’s and then deploy those to the devices that need them.

There are patching solutions in the market that feature a unique ‘CVE to Patch’ capability that lets you import a CVE list from any third-party vulnerability scanning tool.

It then converts that automatically into a list of applicable patches ready to download and deploy.

This feature alone can save your operations teams hundreds of hours spent researching CVEs.

It helps you deploy patches to your devices faster and reduces that 120-day patch gap to a matter of hours.

Employ automation as much as possible

Another key way to help reduce the patch gap is to use Automation as much as possible.

Matching CVEs to patches is only one way automation helps.

By using runbook automation, you can automate almost every part of the patch process via the API—everything from scanning for new devices, scanning for applicable patches, deploying patches during the patch window, and reporting on the success or failure of the whole process.

For complex patch jobs, you can even automate the order in which you stop services, reboot servers, and start everything back up in a certain order.

Story image
06 Dec
Sophos launches threat intelligence & analysis platform for developers
Sophos’ cloud-based threat intelligence and analysis platform is now available to those who are building applications.More
Story image
15 Nov
Google Cloud sets sights on network intelligence automation
Google Cloud’s new network intelligence platform could potentially automate thousands of networking jobs and speed up cloud migrations to new levels of efficiency.More
Story image
27 Nov
Interview: Microsoft's Diana Kelley talks talent gaps and D&I
Kelley recently spoke at Microsoft Asia’s new Experience Center, where she talked through her experience as a security CTO, as well as IoT security, what’s ahead in 2020, and diversity and inclusion both in the cybersecurity sector, and in technology.More
Story image
Today
75% of DevOps professionals say certificate issuance policies slow them down
Less than half of DevOps professionals believe developers always request certificates that serve as machine identities through authorised channels.More
Story image
29 Nov
Black Friday fraud: Who foots the bill?
“Given the incredibly high volume of transactions over the coming weekend, and indeed the whole festive period, often merchants will accept that fraud will be higher than usual."More
Story image
28 Nov
IDC names Trend Micro number one vendor for SDC security
The new independent report: Worldwide Software Defined Compute Workload Security Market Shares, 2018 revealed Trend Micro achieved a market share lead of 35.5%, almost triple its nearest competitor in 2018.More