How critical is consistent, comprehensive, timely patch management to effective enterprise cybersecurity? Credit reporting giant Equifax suffered a breach that put personally identifiable information (PII) at risk for as many as 143 million people. Days after the breach was first reported publicly on September 7, Equifax stated that it discovered in July that it had been breached in May. That breach succeeded via a vulnerability first identified in March, and for which a patch was issued within a week. Equifax has yet to disclose why that patch had not been applied to the server that served as the gateway for the breach.
Unfortunately, the Equifax breach is only the latest high-profile example of an all-too-common situation. At many if not most enterprises – perhaps including yours – consistent, comprehensive, timely patch management is simply not happening. Verizon’s 2017 Data Breach Investigations Report found that across multiple industries, cybersecurity attacks can compromise networks in seconds to minutes, but discovery and remediation of incidents and threats can take weeks, months, or even years.
In some cases, this is due to complacency. In August, Australian accounting software provider MYOB surveyed 394 of its small and midsized enterprise customers. As ZDNet reported, among those respondents, 87 percent said they believed their businesses were safe from cyber attacks, primarily because they use antivirus software. Another 32 percent said they did not need to improve cybersecurity at their enterprises because they did not have a significant online presence.
However, even at enterprises where the need for patch management is well understood, it isn’t happening at consistently adequate levels. Herewith, some thoughts on why comprehensive patch management is critical, the obstacles to it, and how to overcome them.
How Important is Patch Management to Cybersecurity?
Recommendations for improving enterprise cybersecurity are offered by multiple credible, respected sources. These include the Center for Internet Security (CIS), the Australian Signals Directorate (ASD), the International Organisation for Standardization (ISO), and the UK’s National Cyber Security Centre (NCSC). The U.S. National Institute for Standards and Technology (NIST) and the Federal Bureau of Investigation (FBI) also offer specific recommendations for improving cybersecurity protections.
All of these organizations’ recommendations, as well as those from Ivanti cybersecurity experts, share a common theme. All agree that timely, comprehensive patch management, combined with effective control of applications, devices, and admin rights, can improve any enterprise’s security posture, rapidly and dramatically in many cases. (See “Beyond WannaCrypt/WannaCry: Wanna Know What’s Next?” and “Your Threats Are Evolving. Are Your Defenses?”)
The CIS Controls inform and align with cybersecurity recommendations from other bodies around the world. The CIS asserts that the first five of these Controls, listed below, can eliminate the vast majority of cybersecurity vulnerabilities. And patch management is essential to maintaining secure hardware and software configurations.
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
The FBI recommends nine specific steps to prevent ransomware infections. The first of these? “Patch the critical operating systems and applications.” (See the Ivanti white paper, “9 Steps to Protect Against Ransomware.”)
Other examples abound, but the message is clear. Effective cybersecurity requires consistent, comprehensive, timely patch management for all of your critical clients, servers, applications, and operating systems.
Why Is Patch Management Broken?
It’s not easy. It requires keeping track of all the patches issued by all the software vendors that provide products important to your enterprise. It means discovering and keeping track of which of your clients and server systems, applications, and operating systems need which patches. It means understanding the specific patch management needs of all of your most critical clients, servers, applications, and operating systems. It means using that knowledge to prioritize and execute patch acquisition, testing, and deployment. And it means doing all of this frequently enough to maximize protection of your enterprise, even as new vulnerabilities and patches continue to appear almost constantly.
It’s not cheap. Patching your enterprise’s most critical clients, servers, applications, and operating systems is often a labor-intensive, manual process. This means it consumes time and effort from the people that keep your IT running, and that time and effort is fairly costly, even though the patches themselves are freely available. And many tools that promise to ease and speed the process are expensive, challenging to deploy, use, and manage, limited in scope, or all of these.
It competes with other priorities. You and your team have multiple other responsibilities, many of which are perceived as more important to the enterprise or more critical to user productivity. And this often results in few to no resources available to dedicate to performing, let alone improving, patch management.
These and other challenges can make it tempting to cut corners, costs, or both where patch management is concerned. However, the Ponemon Institute’s 12th annual Cost of a Data Breach Study, published in June 2017, found the average total cost of a single breach to be $3.62 million. That same study found the odds of experiencing a data breach to be as high as one in four. So effective patch management is likely worth far more than an enterprise is likely to have to spend to achieve it.
Getting to Effective Patch Management
Fortunately, improving patch management doesn’t have to be overly difficult or expensive. It can begin with incumbent tools and processes in many cases, if these are applied in a focused and systematic way.
Discover – as the CIS Controls recommend, begin with a detailed inventory of all hardware and software, both authorized and unauthorized. You cannot protect or defend against what you don’t know is in your environment.
Provide Insight – use the inventory information you’ve gathered, in combination with the patch information provided by software vendors, to prioritize your patch management needs and goals. You probably can’t and don’t want to try to patch everything all the time. But you can ensure that your most critical or vulnerable resources get patched soonest and kept current. You should also pursue comprehensive application control, to protect against any vulnerabilities or rogue software your discovery and patch management efforts may miss.
Take action – develop and deploy consistent processes for acquiring, testing, and deploying the patches most critical to your environment. Track and report regularly on your efforts and their results. Use those results to refine and improve patch management processes and efforts across your enterprise, in concert with your connected business partners wherever possible.
Click on the link below for a copy of the Gartner research note, “Technology Insight for Patch Management Tools,” compliments of Ivanti. Visit Ivanti online to see how you can get a free trial of our patch management solutions, or acquire combinations of select Ivanti cybersecurity offerings at discounts of up to 30 percent through September. Then, contact Ivanti, and let us help you improve patch management and cybersecurity at your enterprise.