Today, software is embedded in virtually every machine, device, and system. It drives enterprise performance, and it delivers faster and better ways to manage tasks and processes. Yet there’s a dark side to all that code: It also introduces risk. Breaches often result because hackers and attackers take advantage of code vulnerabilities. Consequently, software patching has emerged as a crucial business task. It spans enterprise applications, websites, cloud environments, e-commerce systems, Internet of Things (IoT) devices, networking, mobile apps, and more.
The complexity of patching in today’s business and IT environments is unmistakable. Only a few years ago, patches were delivered by a handful of major vendors, such as Microsoft, Apple, Oracle, and Adobe. However, there are now hundreds of enterprise vendors and open-source groups churning out patches and updates daily. “It has become an extraordinarily challenging environment,” stated Christopher Budd, senior threat communication manager for Palo Alto Networks.
How can business and IT leaders transform all the chaos into some kind of order? How can an organization take a best-practices approach and ensure that software, firmware, and devices are updated and patched regularly? While there are no simple answers, there are some straightforward steps executives can see put in place that will increase protection and decrease the risk of a breach. “It is possible to approach patching in a strategic way,” explained Paul Hill, a senior consultant at SystemsExperts Corp., an independent security consulting firm located in Sudbury, Massachusetts.
Business leaders cannot afford to ignore or downplay the risks associated with inadequate patching policies. Most recently, Equifax was hit with a massive data breach—approximately 143 million records—that was reportedly due to vulnerabilities in its open-source server framework, Apache Struts. Although a patch had been introduced by the open source group in March 2017, the company had apparently not applied it when intruders wormed their way into the network in May. They potentially stole Social Security numbers, birthdates, addresses, credit card numbers, and other sensitive data.
The problem for organizations, Budd said, is that there are tens of thousands of potential vulnerabilities related to patching—and different vendors and systems rely on different protocols and approaches. The problems are multiplied in a connected world. At any given moment, an enterprise might be susceptible to dozens, or even hundreds, of threats. “There is simply no way to keep track of everything and ensure that an environment is airtight. Patching is an unbelievably complex task,” explained Budd. In addition, Hill said that many organizations delay patching because they don’t want to shut down systems—often to their dismay. “Suddenly,” said Hill, “when a breach takes place, they realize the true cost of inadequate security practices.”
Hill said that one starting point is to build a framework around fast and responsive patching. The good news is that most major vendors now push notifications and actual patches out on a timely basis—and many enterprises download and install these patches automatically. As a result, most problems arise from other software and devices—including open-source code–that isn’t always visible on the surface. Not surprisingly, this space is where hackers and attackers are channeling their efforts. And this is where business and IT leaders must focus the bulk of their attention. Simply put: It’s vital to have systems in place to identify when a vendor has released a patch.
Cracking the code
Organizations can take several other steps to minimize patching risks. Business leaders must make sure that the organization has an up-to-date inventory of all systems, commercial software, internal code, open-source libraries, APIs, IoT devices, and more. It’s also critical to record the IP address, physical location, and function of these devices or systems. This could require a network scanner that can tackle the discovery process and deliver the required information. Likewise, it’s important to know what security solutions and controls the organization has in place. This includes routers, firewalls, antivirus tools, and other hardware and software.
With a complete inventory in hand, it’s possible to identify gaps in security and compare vulnerabilities. With an understanding of where deficiencies exist, as well as the potential severity of a threat, it’s then possible to classify risks and take specific security steps to address weaknesses or gaps. This can include adding tools, adopting new policies, or completely revamping a patching strategy. It might also involve examining systems more closely, including looking at IoT devices that might be running outdated or obsolete operating systems or firmware, and disconnecting them from the network if they represent a realistic threat.
It’s also wise, whenever possible, to standardize production systems and operating systems. A more streamlined IT environment makes it easier to ensure that patches and updates take place consistently—and that specific and, sometimes, one-off devices don’t escape scrutiny. Hill also advised that organizations ensure that any IoT or device firmware is “code signed,” so that an invalid image or patch can’t be applied. Getting a handle on vendors might require detailed interviews about firmware and patching policies, he noted.
In the end, according to Budd, business leaders should focus on a multilayered security approach. This helps reduce risk in an environment where it has become impossible to know that everything is patched and protected.
“If one piece isn’t effective, another piece is capable of thwarting the attack,” he explained. A multilayered framework typically consists of technologies such as a next-generation firewall, which includes intrusion prevention, networking antivirus systems, static and dynamic application scanning, and URL filtering. Such a framework should not simply be the convergence of these capabilities as one technology; rather, the system should be natively integrated and automated so these solutions to work together. As such, what one component sees and learns is able to be shared with the other solutions. It might also involve emerging AI and machine learning, which can spot unusual patterns within logs and across the network.
Indeed, it’s possible to stack the odds in the organization’s favor. But it requires buy-in from the C-suite and board along with budgeting and support. “It’s impossible to create a framework that guarantees every system and device will be patched. There’s no 100 percent effective method for managing patching,” Budd concluded. “But a well-formulated strategy along with the right technologies and processes go a long way toward minimizing the risk of a significant breach. Effective patching is one of the fundamental ways an organization can protect itself in today’s risky world.”