Patching is an integral element of vulnerability management, but too few organisations recognise the link overtly
We need to talk about patching. Most organisations now have processes in place to fix the security vulnerabilities that are periodically identified in their operating systems and in the third-party software they use. But the majority see patching as a reactive, standalone activity – a task to be completed by an IT operations team that has many competing demands on its time.
The more sophisticated approach is to think about patching as one of the critical activities in the vulnerability management funnel. That is, patching is one element of the organisation’s vulnerability management strategy; far from being a standalone activity, it links closely with other parts of that strategy.
Risk Management Takes The Lead
One practical and positive impact of thinking about patch management in this way is that responsibilities start to shift. Vulnerability management becomes a task that the organisation’s IT ops team undertakes with support from its cyber security experts. The organisation moves away from its traditional siloed approach, with far greater collaboration between IT staff implementing the patches and colleagues who actually specialises in securing the organisation.
This really matters. Right now, too many organisations are struggling to integrate this work effectively. Their vulnerability management teams scan the IT infrastructure, identify vulnerabilities that need patching, and ask IT ops teams to deploy the relevant fixes. Sometimes that happens quickly; sometimes, it takes too long or doesn’t happen at all. IT ops teams are generally over-stretched. By rethinking this model, organisations can make substantial improvements to their security. Once patch management is an integrated element of vulnerability management, the cyber security team can ensure that one feeds the other. They can help IT ops to automate as much of the patching process as possible, with scans then used to identify any vulnerabilities that remain.
In this world, an organisation asked why they’re doing patch management work will argue that it’s an essential part of their risk management processes – rather than something that they’ve just always done (or something that they do following an angry phone call from the vulnerability management team).
Better Patching Saves The Day
For those who think this is purely conceptual argument, it’s worth remembering that more than 50% of cyber security breaches are caused by a bad actor who exploits a vulnerability. Organisations that do the best possible job of vulnerability management – including systemising their approach to patch management – are therefore at significantly less risk of a breach.
The conventional approach to patch management falls short in this regard. IT ops teams do the best they can to respond to patch updates from software providers and technology partners. But they don’t have a complete view of their IT infrastructure and all its endpoints, so some assets will inevitably go unpatched. And they don’t have the resources to chase down vulnerabilities that may run into the hundreds of thousands or even millions.
This is why we advocate building patch management into vulnerability management – and then building strong governance models to hold cyber security professionals to account. Are business users forced to accept regular patch updates? How long does it take to close each vulnerability identified? What proportion of patches does automation now cover? And with shared KPIs for IT ops and cyber security teams, the organisation will make rapid progress.
Working with Tanium, whose discovery capabilities make it possible to identify assets and endpoints across the whole of the organisation’s IT infrastructure, endpointX can advise organisations on how to make the leap to this approach – and to monitor the increase in effectiveness that will follow. Patch management should no longer be an island in your organisation; it’s time to make it an integrated part of vulnerability management.