Maksim Kabakou - Fotolia
It seems patch management really is difficult. We see a torrent of security breaches enabled by systems with as yet uninstalled security patches. The single biggest reason I can determine is it’s simply impossible to install all the patches required in your network in a timely manner, meaning within a few days of the patch release.
So, when a complete and timely security patching process isn't possible, what’s the next best thing? My answer would be a rigorously enforced vulnerability management process, something the Sans Institute’s Top 20 Critical Cyber Security Controls rates as one of the four most important control techniques.
My advice is to have a patch management process running at the maximum speed allowed by your IT and business processes, bearing in mind that patch management is managed by IT (not security) and runs in parallel with vulnerability management.
Then, the security team can run the vulnerability management process by virtue of discovery and analysis, feeding critical patches to patch management, as well as monitoring effectiveness of implementation.
It should be a security team’s responsibility to discover existing vulnerabilities, and typically this involves both using a vulnerability scanning tool, and keeping the company’s data asset register up to date. In fact, this is an ideal situation to outsource to an experienced security operations partner.
Analyse and fix
The next stage is one of assessing priorities, as scanning tools typically reveal a large number of issues, of various levels of importance. It helps if we set up three categories:
• Issues to be dealt with immediately, and quickly fed into the established emergency patch management process.
• Issues which can wait for regular patch cycle.
• Issues that could be ignored until something changes.
Please note that a change in the threat intelligence, the network design, or a system could alter the threat level of a previously analysed vulnerability, hence this stage of the process needs to be flexible and repeated on a daily basis. In fact, such an analysis is very hard to perform by hand, hence a tool and methodology is essential. Such an expertise-driven area is probably best outsourced to an experienced security operations partner.
If the above process is implemented correctly, the discovery phase will take care of measuring the overall effectiveness of the process.
From my experience, the most effective way to make the patch management a priority for IT executives is to calculate their bonuses based on vulnerability management key performance indicators (KPIs). For example:
• The percentage of systems outside of agreed patch cycles – remember that these can have long deadlines, enabled by good analysis and an emergency patch process.
Vladimir Jirasek is Cloud Security Alliance (CSA) UK Chapter chair and managing director at Jirasek Security Consulting.