Security and patching: 5 resolutions for 2019

Patching is not as simple as "just applying patches" - here's five tips to fix patching and vulnerability management

This is a contributed article by Darron Gibbard, Chief Technical Security Officer, Qualys


Every year, there are more security issues to deal with, and there are more software vulnerabilities that can lead to exploitation. Patching vulnerabilities is an effective way to prevent risks, but it's not as simple as it seems. 

The first major hurdle is scale. The number of IT assets that companies have in place continues to go up, with more endpoint devices, servers and applications in place that all need to be kept up to date. At the same time, the number of known vulnerabilities continues to rise, and the amount of time to deploy the available patches is coming down. The amount of time between vulnerabilities getting announced and exploits becoming available is dropping. The reducing window makes it difficult to keep systems up to date when there are hundreds, thousands or even millions of assets to consider.

The second issue is error proofing. Patches may break other applications, or introduce other flaws that lead to more security issues in the future. In some cases, they may not work or break the machines they are applied to. Whatever the output, a poorly applied patch may cause more harm. Testing to check that these failure conditions don't take place is therefore necessary to avoid problems coming up.

The third issue is prioritization. With so many assets to look after and so many applications to test, it can be hard for teams to know where to put their efforts. Indeed, looking at where to concentrate resources to fix major issues and where other issues can wait or be ignored is a big challenge when there is constant competition for attention.


How to fix patching and vulnerability management

There are ways to solve these problems through smarter application of security best practices and through better understanding of human behaviour. So, what security resolutions should you make for 2019?

1. Know your estate

It's difficult to get to where you want to arrive if you don't know where you are right now. If you don't have a full, up-to-date and accurate list of IT assets in place, then it can be very hard to know what issues are affecting you right now and what issues might come up in the future. Building this list manually can be difficult for any company that has more than a handful of staff, so IT asset management tools can help provide this asset list and keep it up to date.

This can also be expanded beyond the internal network to look at other locations where IT and software assets are located. Applications built on public or hybrid cloud services are equally likely to have flaws, and they need to be kept up to date as well. Unifying your overview of assets into one place can help you see where potential vulnerabilities might exist.


2. Identify your biggest issues and prioritise

There are so many stories on the next big threat that will face us all, it can be hard to concentrate on what matters. With so many problems all competing for our attention, it's worth looking at how to prioritise based what the real risks are and how they might apply to your specific organisation.

Some vulnerabilities will apply to every organisation as they are present in common applications or operating systems - examples here might be issues in Microsoft Windows, Office applications or common web browsers. There will also be other issues that will only apply to specific applications that are either very specialist or not as popular. These latter issues may be critical to those running the specific applications, but they will not be relevant to others.

Equally, these niche applications can't be ignored or discounted, as they may act as gateways for potentially wider network intrusion, as we saw with the NotPetya attacks in 2017. It is important to work out which issues really matter and which ones can wait, and which patches have to be applied in specific orders.

Prioritising these patches is the most effective way to make the security process more manageable for businesses of all sizes. By getting good advice on which patches to concentrate on and when, you can solve one of the biggest issues that make patching difficult.


3. Test, test, test

Getting patches tested quickly and well is essential. Automating the patching process can help remove some of the work for the team around run of the mill issues like non-critical updates in Microsoft's monthly Patch Tuesday release schedule. For those with specific security risks, manually testing the implementation and results can help speed up the process by putting more focus where it is needed; conversely, those that are low priority or can potentially be wrapped up in larger patching cycles can be left for others to test.

The act of prioritising specific patches for faster roll-out should also help you prioritise your testing schedule, where you need to take extra care, and where you can take your time.


4. Automate where you can

The scale of security issues is so big today, that automation is the only way that security teams can keep up. Automating the IT asset discovery process so that all IT assets are automatically registered and kept up to date is one step that can help keep the workload down.

Automating the vulnerability management and scanning process can also help here too. Looking at external facing web applications and assets stored on cloud service should help bring data together into one place, and provide tools that can make it easier to manage all these updates in one way.


5. Work on your change management process

As part of any IT alteration, you may have a formal review process to go through. Change management boards exist to help provide official structure around updates and ensure that corners are not cut. However, this process can slow down patches getting deployed in a timely manner.

It's therefore worth looking at how you can streamline your process around updates. Prioritising issues in critical applications that are responsible for revenue or represent a serious security risk can help make changes get accepted more quickly; for lower tier applications or where testing has been successfully completed, getting sign-off should be a formality. However your organisation manages changes, it's worth checking that your process is still fit for purpose.


Patching is not simple

Deploying a single patch for a single system can be simple. Deploying that same update to multiple machines might be possible. Deploying multiple patches, to multiple systems, that all require testing, and that may or may not be connected to the network, is a huge task. It is time to stop thinking that patching is simple - instead, it can be a complex and shifting environment.

However, getting patch management right can make security easier over time, removing one of the prime risks that businesses face. By getting accurate data on IT asset deployments across all IT infrastructure, prioritising patches based on risk profiles, and by fixing patch roll-outs with automation, everyone can achieve security efficiency around vulnerabilities.


Darron Gibbard is Chief Technical Security Officer, Northern EMEA at Qualys. He is responsible for the company's work with customers around defining and delivering effective cloud security and regulatory compliance programmes. Before joining Qualys as CTSO, Darron spent more than 25 years working for a variety of payment services, media and telecoms organisations providing IT and information security expertise.  His early career was spent working in the vendor marketplace for startups and major security vendors in both a pre and post sales capacity.