Effective vulnerability management is essential to security. The trouble is, it’s tough.
Many organizations lack the resources to prioritize patching and keep up with the thousands of vulnerabilities that threaten the applications and devices on their network. Kenna Security research found that only 32.3% of vulnerabilities are remediated within 30 days of discovery. On average, it takes large organizations 254 days to remediate 75% of high-risk vulnerabilities. Smaller organizations don’t fare much better, taking 195 days to hit the same mark.
The time it takes to remediate a vulnerability shouldn’t be the only concern. Organizations can end up making a number of mistakes that leave them less secure and make patch management more difficult than it already is. Here are five of the biggest missteps organizations make and how to fix them.
- Too many tools.
Sometimes companies assemble a slate of tools, each with a single function. Different departments or business units deploy different tools to accomplish the same tasks. M&A brings two companies together in name only, leaving each using separate tools in silos.
One way or another, companies end up with too many tools that don’t talk to each other. A Forrester survey of IT decision-makers found that 55% of respondents had 20 or more tools between security and operations, and 70% said they lack full integration. That’s not only costing these companies money, as they overspend on tools with overlapping or redundant functionality, but potentially leaving them open to vulnerabilities as well.
At the very least, you should integrate all of your solutions to create a single view across your organization. Even better, is to have one tool in place that gives you a comprehensive insight into your organization’s security. That way you can simplify your tools, save money, and better understand the vulnerabilities you face.
- Lack of visibility.
In a research based on 450 organizations, Kenna Security found that half of them manage more than 800 active assets, 10% manage more than 35,000 assets, and some manage more than 1 million.
That’s a lot to keep track of. And too many tools aren’t the only barrier to gaining a full view of your organization’s vulnerabilities.
When NASA’s Jet Propulsion Laboratory (JPL) was breached in 2018, hackers gained entrance through an unpatched Raspberry Pi device that was unauthorized and unknown. The JPL’s Information Technology Security Database, which was supposed to keep track of devices on the network, was out of date and inaccurate.
If you don’t know what devices and programs are used on your network, how can you expect to patch their vulnerabilities? Even solid vulnerability remediation plans can be undermined by shadow IT.
That’s why it’s important to keep close tabs on every device and application used on your network, tracking vulnerabilities and patching status for each. Only then can you have any assurance your systems are secure.
- Lack of collaboration.
This shouldn’t come as a surprise, but no one can handle patching all by themselves. First of all, the task is too massive. In 2019 alone, 17,000 vulnerabilities were added to the U.S. National Vulnerability Database.
Second, even if you trim that list to the highest-risk vulnerabilities, you still have to work with other members of your company to arrange the best time for the patching to take place.
Third, security teams need IT and operations to get patching done, but the groups are often working in silos. While security teams are raising red flags about vulnerabilities and attempting to remediate them, IT and operations teams are often more concerned with business continuity. Without a handshake between them, vulnerabilities don’t get patched.
This is one reason why executive-level involvement can be beneficial. Not only can executives clarify priorities around what applications and systems are most critical to the business, but they can break down the silos and bring everyone onto the same page. Greater collaboration not only allows you to understand your organization’s greatest vulnerabilities, but also work with other teams toward the shared goal of security.
- Lack of orchestration.
When patching doesn’t work, it often isn’t the patch itself that’s the problem. It’s the process.
Change requests, scheduling downtime, reboots before and after the patch is applied. All of these take time and coordination.
These kinds of processes should be documented, consistently executed, and updated as necessary so you’re not reinventing the wheel every time you need to apply a patch. This will save time and effort, and with the right tools, you can even predict where the process might go awry and take steps to avoid any delays or hurdles.
- Relying on manual processes.
Let’s just come out and say it: Manual patching doesn’t work. Given the sheer volume of vulnerabilities, the limited resources on security and IT teams, and the often complex procedures to navigate, manual patching can only ever be a slow, infrequent, and frustrating process.
If you’re stuck manually patching your applications and systems, It is practically guaranteed that they’re not fully up to date and secure. By looking instead to automate the patching process from start to finish, you can ensure patching happens in a timely manner without requiring massive resources.
Automated patching tools can take advantage of existing downtime and schedule patching to be convenient for everyone involved. That way your systems are updated and secured with minimal disruption.
A better way to approach patch management
As you can see, there are a few common themes for effective vulnerability and patch management.
Visibility into the applications and devices across your network will give you a clear understanding of what security gaps your network faces.
Collaboration is key to keeping everyone on the same page and ensuring the patching process is as smooth as possible.
Finally, automating patching, from end to end, is essential. Automation allows you the most efficient path to vulnerability remediation, without eating up time and resources.
By following these principles, you can avoid common mistakes, uplevel your patch management, and keep your company secure.
