Story image

Patching: Reducing the gap between exposure and remediation

15 Nov 2019

Article by Ivanti APAC presales area vice president Andrew Souter

Patch management is crucial for any size business.

However, it is still one of the areas every organisation claims to have under control, yet the number of daily incidents we see about data breaches related to vulnerability exposure seems to increase each quarter.

Costs associated with cleaning up a data breach far outweigh the costs of good prevention software and procedures.

High-profile exposure

The WannaCry ransomware attack which stormed the world in mid-2017 was one of the most prominent, affecting more than 200,000 companies in over 150 countries.

There are reports that state WannaCry has cost organisations upwards of US$4billion.

That’s a huge amount of money for something that could have been prevented simply by following good patch management practices.

WannaCry used an exploit called EternalBlue, which exploited Microsoft’s implementation of the SMB protocol.

That means it affected almost every Windows operating system available.

Now here’s the issue—Microsoft had issued a software patch to resolve the vulnerability on March 14, 2017, two months prior to the outbreak.

Yes, it could have been prevented by applying a single patch.

So why wasn’t the patch deployed?

While 200,000 represents a large number of companies affected, the fact is that many did deploy the patch.

But what about those infected?

On average, it takes an organisation 90-120 days to deploy a patch to their devices, which is too big a gap between a patch being released and it being deployed.

There are usually a number of factors mentioned when organisations justify why patches aren’t deployed in a timely fashion.

One of the reasons might be the staff shortage to help test and deploy patches. 

The greatest challenge is dealing with the vast amount of vulnerabilities that are discovered and finding a way to zero in on the relevant ones for your organisation.  

According to the National Vulnerability Database (NVD), there were more than 16,000 CVEs (Common Vulnerabilities and Exposures) in 2018.

Sifting through to determine what needs to be deployed can become an overwhelming task for an organisation of any size.

Ways to reduce the patch gap

Most large organisations have a security team whose job is to protect the environment at all costs.

They scan the network for vulnerabilities and report these back to the operations team in the form of a list of CVEs.

The operations team, tasked with keeping the organisation running smoothly, must take that list and try to work out which patches resolve which CVE’s and then deploy those to the devices that need them.

There are patching solutions in the market that feature a unique ‘CVE to Patch’ capability that lets you import a CVE list from any third-party vulnerability scanning tool.

It then converts that automatically into a list of applicable patches ready to download and deploy.

This feature alone can save your operations teams hundreds of hours spent researching CVEs.

It helps you deploy patches to your devices faster and reduces that 120-day patch gap to a matter of hours.

Employ automation as much as possible

Another key way to help reduce the patch gap is to use Automation as much as possible.

Matching CVEs to patches is only one way automation helps.

By using runbook automation, you can automate almost every part of the patch process via the API—everything from scanning for new devices, scanning for applicable patches, deploying patches during the patch window, and reporting on the success or failure of the whole process.

For complex patch jobs, you can even automate the order in which you stop services, reboot servers, and start everything back up in a certain order.