Navigating 20 years of cybersecurity: The evolution of patch management
As we approach the 20th anniversary of Cybersecurity Awareness Month, it's crucial to reflect on the progress made in patch management, a fundamental cybersecurity practice aimed at helping organizations mitigate the risk of unpatched vulnerabilities -- the primary gateway for attackers to breach organizational systems and deploy ransomware and other malware.
In 2003, patch management awareness was low, but it wasn't as critical to global cybersecurity as today because cybercrime was less developed. Automated exploits for known vulnerabilities and ransomware, which now monetizes attacks, hadn't emerged yet.
Twenty years back, vendors announced around 150 vulnerabilities and fixes per week, which was significantly fewer than today. However, managing these patches was challenging. It involved labor-intensive efforts to sift through vulnerabilities and determine their relevance. There were no standardized methods for patch distribution -- some patches were on vendor websites, while others were not. The varying patch release policies among vendors exacerbated the issue.
Only large enterprises, potential targets of highly specialized attacks, maintained dedicated patch management teams. Meanwhile, the time between identifying a vulnerability and exploiting it was short, forcing enterprises to act swiftly to avoid falling prey to malicious actors.
This period also witnessed the inception of a conflict that significantly shaped the patch management industry. It became clear that addressing software vulnerabilities was essential for security. However, software vendors lacked motivation to fix these issues since the costs of insecurity weren't their responsibility. Instead, organizations using their software bore the burden of patch management, including damage and update costs. This situation drove the development of automated patch management solutions.
From Awareness to Action: The Evolution of Patch Management
In 2017, two high-profile attacks started shaping the importance of patching. The Equifax data breach, which exploited a vulnerability in the Apache Struts web application framework that was a few months old, exposed the personal information of approximately 147 million individuals. Even worse, the WannaCry attack affecting hundreds of thousands of computers in 150 countries exploited a vulnerability in Microsoft Windows, known as EternalBlue (CVE-2017-0144), for which a critical security patch was issued by Microsoft months before the attack.
WannaCry heralded a new era of ransomware-driven cyberattacks for which unpatched vulnerabilities served as one of the prime entry points for attackers. These developments heightened awareness regarding the significance of installing security updates and forced the government to enhance initiatives aimed at improving patching quality.
Awareness vs. Implementation: Bridging the Gap
Although the level of awareness about the importance of patching has matured, the quality of its implementation leaves much to be desired. 75 percent of attacks in 2020 used vulnerabilities that were at least two years old. The infamous LastPass breach of 2022 compromised a three-year-old vulnerability.
As we are now in 2023, we have more vulnerabilities detected per month than ever before, the amount increased by 10 times in comparison to 2003, and news about cyber-attacks exploiting old vulnerabilities breaks out every other month.
To grasp the divide between awareness and action, let's explore the challenges facing modern enterprises.
Patch management requires IT teams to handle interdependencies among multiple stakeholders, technical tasks, and socio-technical decisions, making it complex. Balancing the urgency of applying security patches with minimizing downtime is a key challenge. Fear of downtime is the primary barrier to vulnerability remediation, as highlighted by a recent Action1 survey. Many organizations lack automated testing strategies and perform testing manually, which delays subsequent deployments. A shortage of testing resources is the second most significant barrier to patch management.
Moreover, the limitations of existing automated patch management solutions pose a significant hurdle to achieving software security patch management goals. Many of these tools are complex to manage and have accuracy issues. Their architecture might lack scalability, making it challenging to apply patches within a distributed enterprise. Additionally, many existing products lack vulnerability discovery, leading to a lack of visibility and missing software vulnerabilities.
In fact, we have more challenges with software patching today than we did 20 years ago, and the situation is not getting better. Worryingly, the Mean Time to Remediate vulnerabilities (MTTR) has risen from 60 to 65 days between 2022 and 2023. We need to implement new revolutionary practices to reverse this trend.
The Path to a Secure Technological World
Raising awareness about the importance of patch management is crucial, but it alone cannot fully mitigate the risks associated with unpatched vulnerabilities. Collaboration involving government, businesses, and end-users is necessary.
A critical aspect of comprehensive vulnerability management is ensuring that software vendors integrate security practices into their development lifecycles, minimizing vulnerabilities from the outset. Government oversight in this area is essential. The recent White House cybersecurity strategy highlights the concept of security by design, yet its precise impact on development processes remains uncertain. However, emphasizing secure coding practices and rigorous testing can substantially reduce the post-deployment need for patching -- a strategy with the potential to greatly enhance global information security.
Government attention to patching and security, coupled with collaboration among industry stakeholders, government agencies, and cybersecurity communities, can facilitate the sharing of information about known vulnerabilities and elevate the quality of nationwide patch management strategies. Ultimately, this should encourage organizations to instill patch management as a core practice within their culture and structure, ensuring consistent patch application organization-wide whenever recommended by the IT department.
On the organization’s side, a well-structured patch management process is crucial. This entails establishing clear policies across all stages. The key elements of the patch management process include practices related to vulnerability discovery and prioritization, patch testing, timely patch deployment, and post-deployment patch auditing to detect and resolve issues.
Automation tools are crucial for enterprises to streamline the process, enhance testing and deployment, and minimize human errors. These solutions should be able to detect and remediate software vulnerabilities across operation systems and third-party applications, as well as hardware firmware, based on a comprehensive vulnerability database.
While notable progress in addressing the gaps between awareness and implementation of patch management has been made over the years, the persistence of unpatched vulnerabilities requires continued efforts from organizations, vendors, policymakers, and individuals. By prioritizing security by design, education, collaboration, and integrated security measures, we can strive for a secure technological world.
Mike Walters is VP of Vulnerability and Threat Research and co-founder of Action1 Corporation, which provides risk-based patch management software. Mike has more than 20 years of experience in cybersecurity. Prior to Action1, Mike co-founded Netwrix, which was acquired by TA Associates.