4 Things to Know About Patching

By Derek E. Brink, CISSP is vice president and research fellow for IT Security and IT GRC at Aberdeen Group, a Harte-Hanks Company

As a guest speaker at Secunia's launch of Corporate Software Inspector (CSI) 7.0, I wanted to call attention to four things that enterprises should know about patching.

1. Patching Can Be Highly Effective

The Australian Government's Defence Signals Directorate (DSD) has been garnering some well-deserved accolades lately for its recently updated publication on Strategies to Mitigate Targeted Cyber Intrusions. Their analysis suggests that just four specific endpoint security strategies and controls would have successfully protected against at least 85% of the cyber intrusions that they responded to in the previous 12 months:

  • Patch endpoint operating system vulnerabilities

    • Patch or mitigate high-risk vulnerabilities within two days
    • Discontinue use of Microsoft Windows XP or earlier
  • Patch endpoint applications

    • E.g., PDF viewer, Flash Player, Microsoft Office, Java
    • Patch or mitigate high-risk vulnerabilities within two days
  • Minimize the number of end-users with domain or local administrative privileges
  • Whitelist endpoint applications

    • Permit execution of approved / trusted programs
    • Prevent execution of unapproved and potentially malicious programs and dynamic link libraries (.DLL files)

Patching Protects Against Malware and Hacking, Which are Leveraged in a Majority of Observed Incidents

A result similar to the one generated by the Australian DSD's analysis can be inferred from the excellent analysis of 855 actual incidents shared by Verizon Business, in their 2012 Data Breach Investigations Report. Their very clever “4 A's” threat event framework — referred to as VERIS — uniquely classifies each potential event in terms of the Asset (what asset was affected), the Action (what action was taken on the asset), the Agent (whose actions affected the asset), and the Attribute (how the asset was affected) — resulting in a concise matrix of 315 distinct possible events. As shown here, 98% of the observed events were the result of malware and hacking, targeting endpoints (user devices) and servers.



Overall, 81% of all incidents leveraged hacking, 69% involved malware, and 61% used a combination of both. The simple point is that prompt patching of high-risk vulnerabilities in platforms, applications, and databases should be just as effective a strategy for the security of back-end systems as the Australian DSD found it to be for their endpoints.

Patching Has the Strongest Correlation with Leading Performance

In its research, Aberdeen routinely asks respondents about their current use, planned use and current evaluations of a wide range of IT Security technologies; the results for selected endpoint security technologies from a recent study of more than 160 organizations are shown here. As indicated by the light blue bars, all (100%) respondents have deployed anti-virus / anti-malware; more than 4 out of 5 have also deployed technologies such as email (86%) and web (82%) monitoring and filtering; 75% have deployed patch management; and so on.



Meanwhile, the blue and red lines which are superimposed on the light blue bars indicate the percentage of the leading performers (top 20%) and lagging performers (bottom 30%) from the study that have deployed these selected endpoint security technologies. In general, the leaders have consistently deployed these technologies to a higher degree than have the laggards – and by inspection, one can easily see by the gap between the two lines that patch management has the strongest correlation with top performance.

Patching Best Practices Reflect a Lifecycle Model

A simplified vulnerability management lifecycle includes three basic stages:

  • Assess: identification of all vulnerabilities and threats that are relevant to the organization's IT assets
  • Prioritize: determination of which vulnerabilities and threats should be addressed first, based on the level of risk and the business value of the IT assets in question
  • Remediate: deployment of software patches, configuration updates, or compensating controls

Unfortunately, each new day brings a new wave of threats and vulnerabilities to be managed, so these steps must be repeated on a continuous basis to manage vulnerability-related risks within acceptable limits. The top performers at vulnerability management are able to accomplish this while maximizing efficiency and minimizing total cost. Even this simplified lifecycle illustrates the continuous nature of vulnerability management.



Summary and Key Takeaways

Note that viral growth in user-managed endpoints that many organizations are currently experiencing only intensifies the visibility problem for vulnerability management, especially in comparison to traditional enterprise-managed endpoints. One critical difference is that the mature enterprise views vulnerability management as an essential function to be optimized, while the less mature enterprise typically views it as an unattractive burden to be done as time allows.

In addition to the four things to know about patching, you should take away these four key insights:

  • It's not enough to know what the vulnerabilities are – you need patch them.
  • It's not enough to have patches – you need to know which of your systems are vulnerable.
  • It may not be practical to apply patches to all of your systems – you need to prioritize which are the most important.
  • It's not effective to keep up with this lifecycle manually – you need to be able to execute these tasks in an automated, repeatable way.

Secunia CSI 7.0 is in line with these best practices – it is designed to give you the what, where, when and how.


Further reading:
The press release announcing the launch of the Secunia CSI 7.0 :
Secunia launches the next generation of complete patch management – the Secunia CSI 7.0

CTO Morten R. Stengaard's blog explaining the how the Secunia CSI 7.0 came to be:
Complete – flexible – unique – The Corporate Software Inspector-7.0 is here

More information about the Secunia CSI 7.0 and feature descriptions: