When you cannot distinguish apples from oranges. Or reimagining patch management.

At the time this blog is being posted, the referred post has been removed by the original publisher. The intention of this blog is not to make product comparisons, but clarify the challenges Flexera’s products for managing software vulnerabilities are helping solve.

A recent social media post by a vendor of patch management products exposed a critical issue that many organizations had not yet addressed in relation to risk mitigation: the identification and prioritization of critical security patches in regular patch cycles.

The referred post made a direct comparison between Flexera’s free consumer product, Personal Software Inspector and a B2B product for patching. It stated that, after uninstalling Personal Software Inspector and using the other vendor’s product, it identified security patches Personal Software Inspector would have missed. A screenshot of the vendor’s product (see below) is used as a proof of the allegation.

The allegation is false and it exposed a problem that we help our customers solve: accurately identifying and focusing their efforts on the right patches – those that close real, exploitable vulnerabilities.

In security language, the results in the screenshot above are called false positives: they flag non-existing or immaterial security risk.

Five of the patches listed, in fact, aren’t real threats – I’ll get back to this later in this post, as an example. One is a product deemed End-of-life therefore considered insecure. It will be flagged as such by Flexera products.

Now, traditionally, operations teams in charge of patching, work with patch repositories or exclusively with information provided by software vendors, dealing with results like those above. The challenges of such approach are multi-fold:

  • There are simply too many patches, and organizations cannot apply all patches to all systems
  • It does not provide a clear way to prioritize patches based on security risk
  • It is inefficient and it misleads teams to invest their time and efforts on immaterial issues
  • It leaves far too many unpatched vulnerabilities available for too long for hackers to exploit
  • It increases the burden on security teams, as it clutters vulnerability scanning results with too many alerts about unpatched vulnerabilities

Let’s call this “traditional” approach, the orange.

Now I invite you to reimagine patch management. For that, I will introduce Flexera’s approach, which I will call, the apple.

The foundation

Our team of vulnerability experts, Secunia Research, tracks over 55.000 applications and systems for vulnerabilities. They monitor alerts for possible vulnerabilities on tracked applications from thousands of sources including expert forums, researcher groups and vendor alerts. They sift through this information, analyze, test, validate and publish advisories describing the vulnerability, how it can be exploited, the possible consequences of exploitation, and more. This wealth of verified information is also used to create file signatures for patch assessment and patch packages for remediation. We call it Intelligence by Secunia Research, which is at the foundation of our products to manage software vulnerabilities and is what puts our solution ahead of other offerings in the market.

Let’s go back to one example on the screenshot:

At first, you would assume that you are missing a security patch.

This product (Notepad++ 6) is one of the 55.000 products Secunia Research tracks. Our experts verified the vendor alert and concluded that the issue reported did not have a valid exploitation scenario. The process is documented. The analysis and conclusion are found on the rejection notice SA7288. Customers of Software Vulnerability Manager Research have access to rejection notices.

So, the analysis work was done upfront, by our experts, so our customers get to see only what matters and act on it with precision and faster.

Flexera customers don’t need to sift through hundreds of harmless issues trying to identify what to fix while hackers have plenty of time to target real, critical vulnerable applications.

Here is how:

The technology

We take this Intelligence and feed it into a lightweight engine that scans endpoints and can accurately identify over 20.000 applications, installed or not, and determine their security patch status. Remember, it will flag only the unpatched applications with a VERIFIED vulnerability. The result is a complete overview of what to patch, where and how to prioritize it.

We add patch content for the most common applications, and integration with the most used deployment tools. Now you have an end-to-end solution to ensure that operations are equipped to stay on top of security patches and make the right choices to close critical software vulnerabilities.

That brings to your work: efficiency by focusing your efforts on the important issues, and effectiveness by targeting the most prominent risk.

Our customers report that they patch more frequently and faster.

Conclusion

Patch management is a complex discipline that a has critical impact on the risk profile of organizations. The way organizations approach it isn’t changing at the same pace as the challenges are. Our vision is that organizations need to reimagine their patch management practices and implement changes to effectively reduce the risk window and the attack surface for hackers, before the exploitation of unpatched vulnerabilities leads to costly breaches.

If you can make the distinction between the traditional patch management approach – the oranges – and the Flexera approach – the apples – you can see that they are not comparable. It’s a matter of awareness and maturity.

Contact us, if you want to learn more about how we can help you reimagine your patch management practices to reduce patch overhead and help protect your organization from security breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *