Confusing Patch Management with Vulnerability Management Could Have Dire Results. Just ask Equifax!

Confusing Patch Management with Vulnerability Management Could Have Dire Results. Just ask Equifax!

patch management FIOn December 10, 2018, the U.S. House Oversight and Government Reform Committee released its report on the massive Equifax data breach that was disclosed in September 2017. According to the report:

Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation.

The Equifax data breach was one of the biggest known data thefts to date. It is important to understand that the “cybersecurity risks” the report is referring to are related to a known “critical vulnerability” in the Apache Struts software, which was disclosed on March 7, 2017. According to the report, “Equifax used Apache Struts to run certain applications on legacy operating systems.” Despite being alerted by the Department of Homeland Security on March 8, “Equifax, however, did not fully patch its systems…leaving its systems and data exposed. On May 13, 2017, attackers began a cyberattack on Equifax. The attack lasted for 76 days…”

The House’s report findings stress out the emerging need for organizations to strengthen their ability to identify, analyze, and evaluate cyber risks before they evolve into full-fledged security incidents. Two terms I have often heard when it comes to cyber risk mitigation are “patch management” and “vulnerability management,” which are used as if they are interchangeable. This is absolutely not the case. It is essential for everyone managing or working in a security team to understand the difference or else you could also face a security failure like the one that lead to the Equifax breach. The purpose of this post is exactly this: to explain what each is and to offer suggestions for implementing each.

Why Patch Management is Important

Patch management is a strategy for managing upgrades and updates to software applications and technologies. It includes the acquisition, testing, and installation of multiple patches to an administered computer system in order to fix known vulnerabilities. Patch management significantly shapes the security of your business, network, and data. As soon as a piece of software is released, hackers begin their attempts to find their way into that software through holes and vulnerabilities. There are times in which they are successful, or white hat hackers find and report vulnerabilities, leading to the need for patches.

The problem is that many people see patching as a one-and-done process. In good cases, you’ll have a software patch that’ll render an IT asset no longer vulnerable to a particular security gap. But patches break things more often than not. This creates a trade-off in people’s minds of whether to stay vulnerable or to patch the vulnerability. In many cases, people exercise caution or reluctance to perform software patches.

Such caution is a good thing, but it shouldn’t prevent organizations from deploying patches outright. Realistically, every effective patch management process enables organizations to roll and unroll patches through user regression testing. Under this model, IT rolls out a patch and then conducts a series of tests to verify whether everything is working. IT can then use those tests to either accept the patch, assuming the fix doesn’t break anything, or unroll it and decide on another course of action.

Vulnerability Management as a Holistic Function

The decision to either roll out, unroll, or disregard a specific patch falls within the larger context of vulnerability management. Defined as “a security practice specifically designed to proactively mitigate or prevent the exploitation of IT vulnerabilities,” vulnerability management is not a stand-alone scan-and-patch function. It’s a holistic function that takes a proactive view of managing the daunting task of addressing identified vulnerabilities in deployed hardware devices and software. Simply put, vulnerability management is a superset of patch management, as evidenced by the following equation:

Vulnerability Management = Policy + Awareness + Prioritization + Patch Management

+ Testing + Tweaking + Mitigation

There are four main stages of any effective vulnerability management program:

  1. Determine which IT assets need protecting by analyzing factors such as physical or logical connection to higher classified assets, user access, and system availability.
  2. Develop an inventory of all hardware and software installed on the corporate network including both authorized and unauthorized devices and software.
  3. Apply the vulnerability scanning process to those assets recorded in the company’s inventory. This procedure generally takes the form of automated vulnerability scans. Upon completion, it might reveal weaknesses on certain discovered assets, though it’s important to remember that vulnerability scans are capable of identifying only certain kinds of flaws.
  4. Practice effective reporting and remediation by prioritizing all discovered vulnerabilities and creating a mitigation schedule based upon those rankings. If a complete fix is available, security teams can follow the patch management steps identified above. If a complete fix isn’t available, or if there are legitimate reasons why you choose not to implement a patch (such as what it will break the functionality of a service), you need to investigate workarounds or alternatives that you can use to mitigate the risk posed by the unpatched vulnerability.

Clearly, vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. Vulnerability management is about making informed decisions and properly prioritizing what vulnerabilities to mitigate, and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources.

Thus, patch management cannot be planned and operated in isolation of vulnerability management because you need to make sure that the patch does more good than harm. In no situation is “just patch faster” the right advice! Most organizations should “patch smarter”, which means “prioritize what to patch.” Basically, it is a balancing act.

What Does the C-suite Need to Know?

Although most organizations understand the importance of patching their systems, their reluctance to do so is explained by a simple, if oversimplified relationship:

patching = downtime = lost revenue

Most organizations have a strong aversion to disturbing business continuity. But downtime can also come from a misapplied patch as much as from a data breach. It is important for the C-suite to understand that a business downtime due to patching is far less harmful than a downtime suffered due to a data breach. Just ask Equifax. Effective vulnerability management can help you prevent a security breach and can save you lots of money, not because of immediate cash losses but due to the inevitable catastrophic reputation damage that follows.

Therefore, it’s up to organizations to support both effective patch and vulnerability management so as to adequately protect IT assets against a security event without affecting productivity.

My recommendation is to proactively brief your executive team about the vulnerability-related risks, and the process for mitigating those risks. C-level executives need to realize that effective vulnerability management always begins with having a clear picture of what’s installed on the network and having a way to verify that only those items are connected to the network. Without this visibility, organizations risk overlooking fixes in their patch management strategy for software that they don’t know they have. Only with a detailed, up-to-date inventory yielded by vulnerability management can organizations practice effective patch management.

It May Not be Perfect, but It’s Essential

As I stated earlier, vulnerability management is more an art than a science.  With a constant barrage of threats (including zero-day), newly discovered vulnerabilities, and quickly developed patches, having a “perfect” process is basically impossible. Vulnerability management has to be backed up by good threat intelligence that provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Intelligence on vulnerability exploitability prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations.

A risk-based approach to vulnerability management makes it much easier to communicate the danger of a vulnerability across your security and operations teams, up through senior managers, and even to the board. This level of visibility into the rationale behind decisions made around vulnerabilities will increase confidence in the security team across your entire organization and will help prevent data breaches, such as the one Equifax suffered, from happening to you.

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna