Security operations · 2 MIN READ · DAVE JOHNSON · OCT 10, 2023 · TAGS: vulnerability prioritization
1,497,600 minutes…how do you measure the impact of Patch Tuesday?
As the cybersecurity and IT worlds mark 20 years of Patch Tuesdays, I can’t help but reminisce on my first patch cycle, all bright-eyed and innocent and full of wonder and mystery. I had so many questions, like, “Why isn’t this installing?” And “Which one of these am I supposed to do first?” And, of course, “Do I have to come in this weekend?”
Not much has changed, has it? You apply the patches and analyze the results. You might have some automatic patching mechanisms in place that allow you to patch remotely now, maybe make some educated decisions as to which patches to apply first, and, if you’re like me, you have a complex patch testing and burn-in protocol in place modeled after the process the CDC uses for medical trials.
Twenty years of vulnerabilities, 20 years of patching systems at scale. That’s a lot of midnights and cups of coffee. Ultimately the weekend would give way to Monday. Something would inevitably break, either due to a patch or the downtime. You’d fix that issue, and then follow up with the final steps of the patch cycle toward the end of the week. Then you’d do it again next month.
Sadly, some of us are still living this vulnerability Groundhog Day. Where does it end? Heck, where do we even start?
The truth is, Patch Tuesday will live on, and the list of vulnerabilities we need to handle will continue on, as well. No matter how hard we try, patching and remediating will always be part of our lives. But it can certainly be more manageable, and we can achieve that through prioritization.
We can’t patch every vulnerability; should we even try? In an ideal world with limitless time and resources, absolutely. But that isn’t the case, and coordinating all that work is unrealistic. Instead, security and IT teams should be focusing their attention on the vulnerabilities that are most likely to have an immediate impact on their environment. This work will help those teams eliminate the gaps that pose the most risk to the business, and prioritize the patches they need to apply right now. Once they know what that priority should be, they can create a better strategy for rolling them out, testing them, and making adjustments as needed.
We certainly recognize that not every org will have the time or resources to understand the priority of every vulnerability. So earlier this year, we introduced Expel® Vulnerability Prioritization, which assesses vulnerability exploitability, evidence of real-world attacks, and intent from social platforms, and correlates that data with context from your business and asset prioritization. Vulnerabilities that require additional research escalate to a team of Expel analysts who perform further investigation to determine which ones require immediate action.
Our hope is that no matter how you prioritize the vulnerabilities you patch first, you do so in a way that will better protect your organization, and eliminate critical risks in the cybersecurity kill chain.
And hey, as an added bonus, maybe you’ll no longer dread Patch Tuesdays and possibly get your nights and weekends back.
If you’d like to learn more about Expel Vulnerability Prioritization or discuss how you can improve your patching efforts, drop us a line.