Maksim Kabakou - Fotolia

Security Think Tank: Using vulnerability management to support the patching process

What strategies can companies adopt to deal with the huge volume of software updates they are facing?

It seems patch management really is difficult. We see a torrent of security breaches enabled by systems with as yet uninstalled security patches. The single biggest reason I can determine is it’s simply impossible to install all the patches required in your network in a timely manner, meaning within a few days of the patch release.

Why just a few days? Well, because research shows that criminals are able to develop an exploit immediately after the patch is released, simply by using reverse engineering techniques. 

So, when a complete and timely security patching process isn't possible, what’s the next best thing? My answer would be a rigorously enforced vulnerability management process, something the Sans Institute’s Top 20 Critical Cyber Security Controls rates as one of the four most important control techniques. 

My advice is to have a patch management process running at the maximum speed allowed by your IT and business processes, bearing in mind that patch management is managed by IT (not security) and runs in parallel with vulnerability management.

Then, the security team can run the vulnerability management process by virtue of discovery and analysis, feeding critical patches to patch management, as well as monitoring effectiveness of implementation.


It should be a security team’s responsibility to discover existing vulnerabilities, and typically this involves both using a vulnerability scanning tool, and keeping the company’s data asset register up to date. In fact, this is an ideal situation to outsource to an experienced security operations partner.

Analyse and fix

The next stage is one of assessing priorities, as scanning tools typically reveal a large number of issues, of various levels of importance. It helps if we set up three categories:

• Issues to be dealt with immediately, and quickly fed into the established emergency patch management process.
• Issues which can wait for regular patch cycle.
• Issues that could be ignored until something changes.

Please note that a change in the threat intelligence, the network design, or a system could alter the threat level of a previously analysed vulnerability, hence this stage of the process needs to be flexible and repeated on a daily basis. In fact, such an analysis is very hard to perform by hand, hence a tool and methodology is essential. Such an expertise-driven area is probably best outsourced to an experienced security operations partner.


If the above process is implemented correctly, the discovery phase will take care of measuring the overall effectiveness of the process.


From my experience, the most effective way to make the patch management a priority for IT executives is to calculate their bonuses based on vulnerability management key performance indicators (KPIs). For example:

• A risk value based on an agreed formula, calculated from critical vulnerabilities which missed an emergency patch process.
• The percentage of systems outside of agreed patch cycles – remember that these can have long deadlines, enabled by good analysis and an emergency patch process.

Vladimir Jirasek is Cloud Security Alliance (CSA) UK Chapter chair and managing director at Jirasek Security Consulting.

Read more on IT risk management