Patch Management Must be Guided by Risk
Since the major technology companies have a regular cadence for the release of patches, organizations can, in theory, better allocate resources, prepare to test software updates, and deploy fixes when ready. But when Microsoft patches dozens of bugs on the second Tuesday month after month, or Oracle fixes hundreds of bugs at a time on a quarterly basis, the temptation could arise to just patch it all, or at least rely on criticality scores and bleating pundits to guide your patch management efforts.
A high CVE score or a pithy quote from an expert, however, shouldn’t be the deciding factor as to whether an enterprise deploys every patch to every affected system. The discussion should center on risk, and it should land on the likelihood a vulnerability would be exploited on your network and what impact it will have to continuity, data integrity, and the bottom line. An approach aligned with Business Risk Intelligence (BRI) lends itself to informed decisions about patch management, and the right call could save your company precious time and money, and allow your internal experts to focus on what matters most to the business.
Unfortunately for many companies, patch management is still guided by CVE criticality scores that are often incorrectly equated with business risk. CVE scores are a macro guide to a bug’s potential impact, but my organization’s 9.8 score, could equate to a 4.6 inside the walls of your company. Patch management cannot be based on a third-party rating system devoid of the unique context of an enterprise’s security and risk posture. Relying solely on CVE criticality scores in place of business risk assessments will lead you down a path of costly monthly and quarterly updates, regardless of the need to do so.
Bug reports and fantastic headlines about the latest major vulnerability—replete with logos and dedicated websites—get the attention of CIOs, and in turn, that trickles down to CISOs and cyber threat intelligence teams. On the surface, it’s simple to quickly search for the bug to determine what product is affected, whether patches are available, and whether it’s being publicly attacked. Many CIOs have ruined the weekends of those responsible for patch management with a rash decision mandating that the latest mega-bug be fixed immediately, even if it’s midnight on a Friday night.
Is it ultimately a win? Many would say yes. But since the vulnerability was never evaluated in the context of risk to the business, it’s impossible to determine whether this win was worth the cost of deploying the patch—not to mention the patch management team’s displeasure with having to work overtime on a Friday night.
Now imagine that the CIO had instead initially asked, “What is our risk related to this?”
With this frame of reference, the CTI team researches the vulnerability, overlays this research with relevant insights gleaned from BRI, and reports to management the likelihood that the organization would be impacted by the publicly available exploits. By combining public information with business context about critical assets potentially at risk to the bug, along with the cost of deploying patches, the risk can be quantified. There’s a big difference testing and patching a handful of servers for a few hundred dollars, and patching enterprise-wide for potentially tens of thousands.
Now armed with concrete information tied to business risk and cost, the CISO makes an informed decision, responding to the CIO about whether it would be an acceptable risk to patch only a few machines, for example.
This approach to decision-making becomes even more powerful in situations pertaining to a series of CVEs and patches. When you understand the mitigation costs, potential impacts, and their likelihoods—in other words, your company’s business risk—you can identify and address what’s actually critical to your company regardless of the criticality score assigned by a third-party and ensure resources are being prioritized cost-effectively on efforts that have the greatest impact.
Josh Lefkowitz is the Chief Executive Officer of Flashpoint, where he executes the company’s strategic vision to empower organizations with Business Risk Intelligence (BRI) derived from the Deep & Dark Web. He has worked extensively with authorities to track and analyze terrorist groups. Mr. Lefkowitz also served as a consultant to the FBI’s senior management team and worked for a top tier, global investment bank. Mr. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.