Taking the risk-based approach to vulnerability patching

As one of the most effective ways to prevent attacks on IT assets, it is universally acknowledged and known that patching vulnerabilities is a critical process. But as the volume of vulnerabilities discovered in the tools we use continues to proliferate -- and the speed at which they are being weaponized increases -- patching is becoming a complex and difficult task for security teams. During the 2021 calendar year alone, more than 20,000 individual vulnerabilities were discovered and announced, and by May 2022, more than 10,000 issues had been released. The number of vulnerabilities being discovered and disclosed is not slowing down, it is accelerating.

While the security community’s ability and attention towards discovering vulnerabilities has matured, the scale of these issues has - in tandem - become overwhelming. So what can organizations do to stay afloat in today’s "sink-or-swim" threat landscape?

In the simplest of terms, it requires a change in mindset that entails a concentration on risk -- e.g., identifying the most severe set of potential issues to your organization and prioritizing patching those first. But as with anything, this is much easier said than done.

How to think about risk

Step one is to look at the risk level associated with and posed by each potential threat. This enables the prioritization of the vulnerabilities that represent the most severe threat to the IT assets and software in a specific environment.

As opposed to relying on standard security issue scoring, like the Common Vulnerability Scoring System (CVSS), this method allows organizations to understand the potential impact that a vulnerability will have on a system. What might be a critical issue to the wider IT world may be less of a risk to a specific company due to what is in their environment. In contrast, an issue rated as less serious may have a larger impact on that same organization's systems.

Understanding the threat landscape is key to not overwhelming your patching processes. For example, out of the universe of 185,446 known vulnerabilities, only 29 percent have exploits available, just 2 percent have weaponized exploit code, a mere 0.4 percent have been exploited by malware and threat actors are actively leveraging only 0.16 percent of the universe of known vulnerabilities. While the quantity of known vulnerabilities is high, in comparison, the percentage being actively exploited is low. When assessing risk, companies should prioritize patching those being exploited first, as opposed to allowing the full list of known vulnerabilities to overwhelm mitigation processes.

Issues may also change in importance over time as threat actors work around vulnerabilities, or combine new and existing threats to create different exploit paths. Continuously tracking issues is critical to manage risk. As new exploits for vulnerabilities are created -- and as those exploits are automated -- your approach should be flexible enough to change prioritization status and respond.

How to think about the whole process, not just patching

Ranking vulnerabilities by risk allows security teams to implement faster patching for the most severe threats. However, the correct remediation path is not always straightforward.

Fixing a vulnerability can require more than one action, such as deploying a patch, making configuration changes, updating registry keys or a combination of any of these. In some cases, completing these actions has the potential to introduce operational risk -- e.g., breaking existing processes or affecting applications. For this reason, other teams in IT responsible for ensuring systems are up and running at all times, may have hesitations in applying certain patches.

An important element to avoid this type of roadblock is to create workflows for testing and change management. Through integrations with vulnerability management and IT service management systems, this can be achieved more seamlessly.

An integrated approach allows for the prioritized list of vulnerabilities to be mapped against the remediation actions needed -- from patches to be deployed and/or configuration changes required in an environment. Reducing the number of tools involved in this process removes complications between teams and speeds up Mean Time To Remediate (MTTR). 

But even with a reduction of tools, organizations may still struggle with how they manage security issues and how they carry out patching. While the initial goal may be to patch everything as fast as possible, the complexity and interconnectedness of systems that make up IT infrastructures today, makes this unattainable.

So what can security teams do? Ultimately, security teams must be able to identify what presents the most severe risk to the business and understand how the processes between teams responsible for different pieces of detection and remediation works best.

The adoption of a single unified approach across vulnerability management, patching, configuration and change requests can reduce risk and improve how quickly processes work. With so many new vulnerabilities being discovered and disclosed, a consolidated approach allows organizations to drive results in achieving higher levels of efficiency, quicker MTTR and ultimately improves overall security hygiene.

Photo Credit: Olivier Le Moal / Shutterstock

Eran Livne is Director of Product Management, Qualys.