Skip to main content

Getting your endpoints in order: Adopting a risk-based approach to patch management

(Image credit: Image Credit: B-lay)

Theoretical physicist Albert Einstein once said, “the definition of insanity is to keep doing the same thing over and over and expecting a different result”. In the arena of vulnerability management, we can draw some similarities. As businesses struggle with modernising long-standing practices to allegedly fix something that is not broken, they can easily be overwhelmed by the scale of patching dictated by the current landscape.

However, many companies are unaware that this might be because they have the wrong strategy in place to tackle the large number of vulnerabilities lurking in the cyberspace. Indeed, this is regularly exhibited in a mentality that pervades the patch management community; ‘patch everything, all the time, everywhere’. Yet, this strategy is inefficient and it is clear that a change needs to be pursued in how companies’ address patching and vulnerability remediation strategies.

Assessing vulnerability-led threats

Time and time again, IT news is led by events of data-rich servers and end-users being exploited by sophisticated hackers. This was recently seen with the popular messaging service WhatsApp: The app was hacked due to a bug that gave hackers the ability to access files on a victim’s paired computer with just a simple message. This is highly concerning not only due to the proliferation of the app, but the ease with which it could spread. It makes us all wince and wonder what else got missed so far and how such a massive bank of user data was left so easily exploited.

Whilst WhatsApp did ultimately address the bug, it points to a wider debate within the patch management community surrounding strategies for vulnerability management. A recent Gartner report looked into the proliferation of bugs since the early 2000s. It found that the number of publicly disclosed bug vulnerabilities had grown by over 30 per cent in 10 years from 2006. Dangerous and sophisticated, this is a huge increase in vulnerabilities for companies and poses a high-risk to organisations’ IT infrastructure.

Yet, it is important to remember that not all bugs are equal with some more severe. Indeed, this same research notes that there are roughly between 50 to 300 high-risk vulnerabilities per year about which an organisation should be highly concerned. These dangerous threats include the likes of banking trojans, ransomware and botnets which IT teams must be wary of at all times. Here, companies need to take into account both the Common Vulnerability Scoring System (CVSS) and which vulnerabilities are most likely to be exploited.

Recalibrating IT teams’ approach to patch management

For many IT teams, there is an ambition to ‘patch everything, all the time, everywhere’. Time-consuming and hard to achieve, this approach dictates that the majority of IT admins time should be spent on patching everything within their system all the time. Whilst this is pursued with good intentions, this is an impossible task for many organisations who do not have the capacity to achieve this time-consuming demand. Without an automated solution, this overambitious goal leaves IT teams often doomed to fail.

However, this approach also carries a number of risks to a company’s IT infrastructure. Indeed, by focusing on every vulnerability, the most important bugs stay unfixed for a long time. The consequences of this oversight are naturally extremely dangerous and can lead to the data breaches that are seen regularly in the news. More widely, this can bring significant reputational damage to an organisation and put customer data in danger. 

Ultimately, IT teams need to be mindful of how they use their skills and time, developing a process that prioritises the most dangerous bugs first and utilises an organisation's resources most effectively. Here, businesses of all shapes and sizes should look to recalibrate their approach to patching via a risk-based model in order to drive efficiency within their bug management processes.

Implementing the risk-based approach to patching

This solution might seem obviously simple; patching the high-risk vulnerabilities is what many IT teams are trying to do already. However, the process of looking into all potential vulnerabilities and taking the time to rank them according to the CVSS can be seen as a time-consuming task, which some resource-poor and highly pressured IT teams do not always deem necessary. However, by implementing this step of prioritising certain patches, it will help IT teams in the long run.

The most effective and low-cost way to executing a patching strategy is through the definition of priorities and tackling the biggest risks for a given network first. As Gartner reported, there are roughly between 50 to 300 high-risk vulnerabilities per year which are cause for critical concern, and it is these vulnerabilities which need to be at the top of the priority list for IT teams. These vulnerabilities are the most likely to cause the most damage if left unpatched and could lead to serious criminal exploitation.

As a result of this, it is essential that business IT teams look to rank vulnerabilities on not only the highest risk vulnerabilities according to the CVSS but also take into account which vulnerabilities are most likely to be exploited. From here, businesses can focus on prioritising those patches that need prompt attention. Time-efficient and risk-based, this would enable a more effective approach to risk mitigation by tackling the bugs which are most dangerous first.

Driving efficiency in business’ patching strategy

This approach does not deny that a company should look to continuously patch all bugs within their IT system but these improvements should start with the biggest risks first. Indeed, it is important to have the right strategy in place in order to compliment the right infrastructure such as a Unified Endpoint Management system to ensure that companies are achieving their IT potential.

This further reduces the time labouring task of patching via automating routine tasks such as automated patch distribution. With the right approach to patching and the right tools in place, business can reliably manage and protect all of its endpoints.

Many in the industry are aware that some organisations’ vulnerability management strategies are still not working with data rich servers able to mitigate against sophisticated hackers daily. By finding the right approach to vulnerability management with a risk-based approach and a UEM solution, organisations can be properly prepared for potential attacks to their system in the future.

Sean Herbert, UK Country Manager, baramundi

Senior IT Professional with a background in Electronic Engineering. Interested in IT Security & Compliance landscapes, occasional blogger on the subject and trusted advisor.