Ask any IT manager in a mid- to large-sized enterprise about patch management, and you’ll most likely encounter a pained expression along with a sigh. As infrastructures and app architectures become more complex and decentralized, patch management has become an even more daunting and resource-intensive challenge, for both technological and organizational reasons.
However, the cost of not investing resources in effective patch management can be disastrously high. A classic example is the Equifax breach in September 2017 due to a missed patch on a key web software component. This led to the exfiltration of the highly personal data of more than 145 million consumers. When the dust settled, industry analysts estimated that the cost of this breach will be in the neighborhood of $600 million, making it the most expensive hack in corporate history—so far.
Earlier in 2017, prior to the Equifax fiasco, the highly disruptive WannaCry and Petya ransomware attacks took down systems around the globe by exploiting a known vulnerability (“EternalBlue”) for which a patch was already available.
In short, in our world of zero-day vulnerabilities, timely and comprehensive patching is essential. In this article, we look at patching challenges in more detail and present the three principles that must be upheld by any robust, enterprise-grade patch management solution.
Why Is Patch Management So Difficult?
A security automation survey conducted in late 2016 revealed that 81% of breaches and failed audits could have been prevented by more timely and comprehensive patching. However, in a Tripwire survey of about 500 IT professionals conducted the same year, almost half admitted that they could simply not keep up with patching. Although WSUS manages updates for Windows-based systems, they reported that the process is often frustrating and prone to error, while Mac and Linux systems require manual patching. From yet another source we learn that the prevailing industry metric is that 25% of organizations patch within the first week, another 25% within the first month, 25% after the first month, and 25% never apply the patch. Of course, the longer the wait, the greater the risk.
The following are some of the key reasons that contribute to this widespread inability to adequately manage patching within the appropriate time frame:
- The sheer volume of patches: According to CVE Details, there were more than 14,600 vulnerabilities exposed in 2017, which is more than double the vulnerabilities reported in 2016. The upward trend has continued in 2018, with 16,259 vulnerabilities, i.e., an average of ~44 per day, each with its requisite patch. This type of frequency makes patches hard to manage, especially when it is hard to understand which vulnerability alerts are most relevant to the organization.
- Poor visibility into software assets: It is not unusual for an organization to be running multiple operating systems of different versions. Keeping a clear inventory of these fragmented assets is further complicated by geographically and functionally distributed operations as well as by acquisition scenarios in which two or more IT systems have to be merged into the corporate ecosystem. Weak asset inventory management is considered one of the root causes of inadequate patch management.
- Conflicting intra-organizational interests: The security team wants to patch as frequently as necessary. However, they must contend with business units that are concerned about downtime (and potential lost revenue) or simply have other priorities.
- Legacy systems: These often cannot be patched or, if patched, could “break” already fragile business-critical applications.
- Patching flow: There are often dependencies between systems—either for HA purposes or because of the way an application is structured. This dependency dictates the flow of patching, and if the flow is not followed properly, production systems can fail.
- Change control processes that are unwieldy: There were those who wondered at the time why the Equifax system admin didn’t simply go ahead and install the patch and thus prevent the catastrophic breach described earlier in this article. However, in large organizations, a sysadmin can’t install software to production without a multi-step, multi-level change approval process.
- Lack of adequate patch management solutions: The solutions available today deal with patch deployment as well as monitoring and reporting on an organization’s patch compliance level. Although these solutions are helpful, there is no one solution that addresses the full range of patching pain points such as organization-targeted prioritization, poor visibility across assets, legacy systems or systems with many dependencies, change control management, and more.
In summary, routine patch management today is time-consuming, resource-consuming, and conflicts with business velocity. However, poor patching can lead to crisis patch management situations that are even more expensive and disruptive. Here below, we’ll discuss how to achieve an enterprise-grade patch management solution to alleviate these concerns.
The Three Principles of Effective Patch Management
All three of the principles described in this section must be part of a single integrated patch management solution so that patching can be both effective and cost-effective.
1. Vulnerability Scanning and Analytics
In the face of so many patches being issued on a daily basis, the IT department in a large enterprise has no choice but to prioritize where it’s going to invest its patching resources. Thus, a key component of any integrated patch management system must be automated vulnerability scanning and targeted assessment of the importance of any given vulnerability to the specific organization.
2. Patch Process Governance
When analyzing security breaches, the root cause is often that: somebody did not install a patch; somebody waited for permission to install a patch, and the permission did not arrive; or somebody was not even aware that the vendor had issued a patch. In other words, the process was not properly defined, or the process was not followed. Thus, patch process governance is a second element that must be present in an effective patch management solution.
3. End-to-End Patch Workflow Automation
Automated patch management is not just about deploying patches. The IT/Ops team will have an entire patching workflow that includes steps to be taken prior to and after installing a patch, such as performing patch pre-checks, implementing a rollback plan if a patch causes problems, restarting the system, and so on.
Introducing JetPatch
JetPatch has been designed from the ground up as an end-to-end, single-pane automated patch management solution for defining and enforcing patching processes and workflows across even the most complex infrastructures. The following infographic summarizes how JetPatch implements the three essential principles of patching:
Vulnerability Scanning and Assessment
- Auto-discovery across even the most complex environment, eliminating patching blind spots.
- Leverages leading industry vulnerability databases to track patch availability and assess
Patch Process Governance
- Flexible definition of workflows, including a library of automated tasks.
- Intuitive patch governance dashboard to view and analyze consolidated patch rollout and vulnerability
End-to-End Workflow Automation
- Spans infrastructure and silos, preventing errors & reducing time-to-remediation.
- Learns root causes of remediation delays & automatically corrects them.
- Optimized downtime
We invite you to see for yourself by scheduling a demo during which we can show you how JetPatch helps enterprises overcome their patching challenges in order to enhance the security of their digital assets.
