Vulnerability Patching: Why Does It Fall Short So Often?


Weak threat insight, SecOps competing priorities, and fear of making things worse are key reasons

By Chris Goettl, Director of Security Product Management, Ivanti

It isn’t glamorous. It won’t guarantee a company staff promotion or kudos, but patching is a critical risk prevention function in any environment. Unfortunately, it’s task organizations tend to push aside – until they’re hit with a multi-million-dollar breakdown. Ponemon recently found that 60% of security breach victims say they became breached due to an unpatched known vulnerability. So why, with so much risk in the balance, do many systems remain unpatched? Like many underperforming environments, the answer has many facets: practical, emotional, and operational:

Practical: In the remote working, a threat-rich world that security and operations teams work in, patching often takes a back seat to other threat deterrence tasks like adding in new security access protocols or recovering offboarded assets. Operations also have many competing priorities, not the least of which is strategically mapping out new policies and procedures to better manage an expanded remote workforce and working with the C-suite on desired business outcomes going forward.

Emotional: The inherent fear is that patching updates might cause workflow disruption at a time when organizations are already dealing with the wholesale transition to a more remote/hybrid work environment. Security or operations personnel do not want to be the cause of a miscue – thus, in some instances fear paralysis takes over.

Operational: Knowing which vulnerabilities pose the most threat so patching can be correctly prioritized is a major factor in patching being successful. Many organizations struggle to manage the variety of applications in their environments, the inconsistent frequency of release from most vendors, and the sheer volume of change that can cause operational impacts to users.

Patch Smarter and Faster

Remote working has exacerbated concerns about patching as security and operations teams are facing the fact that remote desktops can be rife with vulnerabilities and reside outside secure network perimeters. SecOps visibility into remote workers’ devices previously was not as much a priority. The new world environment of more devices being used remotely, devices that may not meet on-prem security standards, has opened the door to an increased attack surface, one with considerable gaps in effective patching.

How do organizations move past these barriers to make patching a smoothly running part of SecOps and not another sticky subject during team meetings? Patching technologies have existed for years, yet companies still struggle with vulnerability remediation. It is not so much a technology challenge that companies face, but a challenge of process, politics, and operational impact. There are practices and systems that can be put into place to minimize SecOps concerns about workflow impact and most importantly, fine tune patching to target high-risk threats. Patching processes can also be improved so patching is no longer a time-consuming operational headache. Achieving this will go a long way to breaking down barriers. Strategy improvements include:

Patch Reliability. No administrator responsible for patching can ever completely test the effect of updates on their environment. Typically, teams try to validate impact through test systems and user pilot groups – delaying updates to the point of escalating a threat. Advancements in patch performance intelligence can cut through these delays and accelerate patching based on crowdsourced telemetry of patch performance along with social sentiment gathered from popular social media outlets. This richer repository of data enables SecOps to make quicker decisions on where to focus testing efforts to maximize efficiency and avoid operational impacts.

Risk-Based Prioritization. Many organizations prioritize remediation efforts based on vendor severity. This approach leaves many open to high-risk vulnerabilities that are actively being exploited – vulnerabilities the vendor may have only flagged as important. Expanding the knowledge base here is critical. Obtaining additional metrics of ‘known exploited’ vulnerabilities will give SecOps more data with which to prioritize patching based on real world risks to the organization.

Automated Vulnerability Remediation. Transferring greater knowledge and prioritization into action – and mindful of SecOps time management – means employing a higher degree of automation. The only way to effectively patch and secure remote devices working in the cloud with any degree of efficiency is to bring more automation into the process. Automation can take metrics gained through machine learning and proactively detect, diagnose, and auto-remediate configuration drift, performance, and security vulnerabilities before they reach the threat stage.

Patch Compliance. Service level agreements (SLAs) are important from an operational perspective, but in the world of vulnerability remediation they are absolutely critical. Organizations struggle to stay ahead of threat actors and need to track exposure of vulnerabilities more accurately to ensure they are reducing their window of risk. Getting a more accurate patch-level perspective which maps to the CVEs (common vulnerabilities and exposures) on how long the organization has been exposed, and what assets are outside of SLAs, is critical to reduce overall risk.

Cross-Functional Conversations. SecOps is a useful phrase but in reality, the teams do start with different mindsets when addressing data and risk issues. The common ground from which they can work together to minimize threats is better, objective information on risk of vulnerabilities. That is why machine learning collection of threat patterns – data that can be shared – is an important part of improved patching. Better data will lead to more informed decisions on patch prioritization, giving both teams more confidence that the highest-risk threats are being acted upon first.

Erasing the Barriers

Getting rid of the practical, emotional, and operational barriers to improved patching can be done. Employing automated vulnerability remediation eliminates the constant struggle of teams’ competing time and priorities. Through machine learning intelligence gathering of known exploits and crowdsourced telemetry, SecOps will no longer fear the results of patching. They are proceeding with greater reliability due to more extensive knowledge. This improved patch reliability data delivers actionable intelligence automatically, so teams can act on threats faster and reduce time to patch, lowering operational impact.

About the Author

Chris Goettl AuthorChris Goettl is the Director of Product Management for security products at Ivanti. Chris has over 15 years of experience working in IT, where he supports and implements security solutions for Ivanti customers and guides the security strategy and vision for Ivanti.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips