Effective strategies for a risk-based patch management process

Amidst staffing shortages and limited budgets, organisations and government agencies are struggling to strike a balance between enhancing productivity and ensuring proper cyber hygiene, making it difficult to effectively defend against cyberthreats.

Meanwhile, attacks are increasingly overwhelming in boldness, sophistication, and volume. The Cyber Security Agency of Singapore revealed that a 54% spike in ransomware cases was reported in the city-state in 2021, amounting to 137 cases compared to the 89 cases detected in 2020. The discovery of Singapore-hosted phishing URLs experienced a 17% rise in 2021, with an approximate total of 55,000 URLs contrasting with the 47,000 URLs found in 2020.

Even well-staffed, well-funded IT and security teams are effectively grasping at straws — unless they have a risk-based patch management (RBPM) solution in place.

RBPM means narrowing down active threat mitigation efforts and patching to the highest priority threats. These priorities are determined based on both external threat context and the internal security environment of an organisation.

Patching is not nearly as simple as it sounds, and security teams often do not get around to it amidst other pressing demands. In a recent survey by Ivanti, 71% of IT and security professionals reported that they found patching to be both time-consuming and complicated. An RBPM programme — especially one enhanced by certain best practices — can reduce risk without increasing workload.

Here are five of those best practices:

Start with asset discovery

You cannot protect what you cannot see. A team can be working around the clock to create patches for specific threats and specific assets, and still miss the boat if they are not aware what they actually need to be patching. That is wasted effort — and a huge point of vulnerability. That is why any RBPM programme must start with asset discovery.

What assets are on your network? Which end-user profiles use those assets? In the pre-pandemic era, asset management was more straightforward: What and who are behind our perimeter, in our office? In the modern workplace, assets and end users are dispersed. That calls for a modern approach to asset management — one that can discover, map, secure, and service any asset, anywhere — even when they are offline.

Once you know what you need to protect, you can start protecting it.

Get everyone on the same page

Despite best intentions, IT operations and security teams are often working in conflict — simply by the nature of their roles and areas of focus. RBPM creates a bridge between these organisations, demanding that external threats and internal security environments are considered in tandem.

In order for these organisations to work together, they must all have the same information, as well as mutually acknowledged risk analysis. When everyone is on the same page, security can stop treating everything as an urgent risk and can prioritise the most critical vulnerabilities. IT operations can stop feeling like they are drinking from a fire hose and make time for the right patches at the right time.

Leverage an SLA for patch management

You already know that security and IT operations need to work together to create and execute an effective RBPM solution. Of course, it is one thing to know they need to work together — and quite another to ensure they are enabled, empowered, and motivated to do so.

A service-level agreement (SLA) for patch management between the security and IT operations teams can eliminate back and forth, and standardise processes for patch management. It should lay out department-level goals and enterprise-wide goals for patch management, establish best practices and processes, and identify maintenance windows that are acceptable for all parties.

Leverage pilot groups for patching

Done right, an RBPM strategy allows IT operations and security teams to work fast, identifying critical vulnerabilities in real-time and working to patch them as soon as possible. Speed is of utmost importance — so long as it does not cause excess collateral damage. A hasty patch runs the risk of crashing mission-critical software or creating other unwanted problems.

The solution: Leverage pilot groups featuring key stakeholders who can test vulnerability patches in a live environment prior to full rollout. Optimally, these stakeholders would reflect the device configurations and user roles that will be impacted by a piloted patch.

Live environments provide a more accurate assessment than any lab can replicate, and we are not at the point of being able to perfectly identify potential downstream impacts of patches. If the pilot group identifies a catastrophic error, it can be remedied with minimal enterprise impact. It is important to predetermine and pre-train pilot groups so this process does not substantially inhibit patch progress.

Embrace automation

The point of RBPM is to mitigate vulnerabilities efficiently and effectively while alleviating the burden on your staff — particularly as IT faces an unprecedented worker shortage. However, it is still a heavy lift when done manually. Automation can dramatically accelerate the speed and accuracy of an RBPM programme, collecting, contextualising, and prioritising vulnerabilities around the clock far faster than even the most talented team could manage.

Automation can also segment a patch rollout to test for efficacy and downstream impacts as well, supplementing the work of the pilot groups mentioned above.

The ability to automatically identify, prioritise, and even address vulnerabilities without excess manual intervention is a critical advantage in today’s cybersecurity landscape. That is why it is so concerning that according to Twitter’s former head of security, around 30% of the social media company’s laptops had automatic software updates blocked. This, along with other security failures, resulted in Twitter suffering more than 50 incidents in the past year.

As an RBPM solution is dependent on the nuances of a particular organisation or federal agency, there is no one-size-fits-all RBPM strategy. These best practices, however, can inform any RBPM programme – and make all the difference in the world.