New Emphasis on an Old Problem: Patch Management and Accountability

Vulnerability and patch management is a decades-old cybersecurity problem, and given the current worldwide pandemic and how nation-state and eCrime adversaries are exploiting it — mitigating vulnerabilities across your organization’s environment has never been more important as increasing numbers of remote employees are connecting their personal devices to corporate networks.

The CrowdStrike^® Services team has observed many organizations still struggling to identify vulnerabilities, prioritize critical systems and deploy patches, as covered in the recently released CrowdStrike Services Cyber Front Lines Report. As a result, many companies have continued to suffer from ransomware attacks and malware that leverage exploit kits designed to prey on vulnerabilities in unpatched systems.

Organizations often experience vulnerability and patching issues because of departmental conflicts, missing patch management policies and limited accountability. Fortunately, many companies are developing new, risk-based solutions that can be highly effective in addressing the persistent challenges that patching presents.

PROBLEM 1: Vulnerabilities Everywhere, Patches Nowhere

Information security teams often have a lot of data on the vulnerabilities in their environments, but they usually rely on information technology (IT) teams to test and deploy patches. This is one area where organizations frequently fail. Information security teams and IT teams often have competing priorities — information security wants to keep an organization’s critical systems safe, while IT wants to keep them working. And for a small or medium-sized business (SMB), information security and IT might be the responsibility of the same person. If patching becomes a low priority, it can eventually cost the business money.

PROBLEM 2: Just Patch Everything

When information security teams approach IT departments with lists of systems to patch, it’s often overwhelming, and prioritization can be a challenge. The IT team may want to patch an internet-facing email server first — since it contains information about the organization’s trade secrets and has a high risk of attack — and hold off on critical patches to VPN software because of difficult deployment procedures and potential business interruptions. But the information security team may have threat intelligence reports showing that adversaries are actively exploiting the organization’s VPN vulnerabilities. For SMBs with a small team, patching everything is often not feasible, and determining where to focus limited resources adds further complication.

PROBLEM 3: No One Will Notice

CrowdStrike Services commonly sees a lack of accountability for failing to implement patches. Most organizations don’t have formal patching policies or enforcement mechanisms to ensure their systems stay patched, and incentives for information security and IT teams are often lacking. Pushing out patches isn’t exciting work, and these tasks frequently get moved to the bottom of the project list. While automation can help, applying critical patches to equipment or systems that require around-the-clock uptime requires maintenance windows and significant resources — and technology teams can too easily forego these tasks in the name of business continuity, without experiencing any immediate ramifications.

What Can You Do?

Fortunately, many companies are developing new, risk-based solutions that can be highly effective in addressing the persistent challenges that patching presents. CrowdStrike recommends the following practices for patch management and accountability to keep your organization safe, both now and once the current health crisis has passed:

Leverage a risk-assessment framework. Most organizations don’t treat vulnerability risk with the same seriousness as other enterprise risks. Organizations need vulnerability management and patching policies that define service-level agreements for both information security and IT teams, and both teams need to work together to define the systems they consider most critical. Then teams can create a priority list that shows what should be patched first and what operational risks are being taken for each system.

Use documentation to drive accountability. Information security and IT managers need to document why they are choosing to address specific vulnerabilities or patches but not others. The executive team should be responsible for signing off on the exceptions, validating that the organization is choosing to accept the risk. This hierarchy of vulnerability management can keep teams accountable and ensure that systems are patched in a timely manner.

Create a dedicated vulnerability management team. For organizations with sufficient resources, CrowdStrike recommends dedicating information security and IT personnel to vulnerability and patch management. This team is then accountable for identifying vulnerabilities and deploying patches quickly, guided by the risk-assessment framework described above. The key advantage is that information security leaders can produce metrics to assess the effectiveness of the program. Based on these metrics, the executive team may decide to increase investment in vulnerability and patch management.

Deploy patch prioritization and automation tools. Tools are available to assist and enhance how organizations operationalize patching efforts. Patch prioritization helps organizations make better decisions to reduce IT security risk, while patch automation solutions can dramatically reduce the turnaround time between identification of critical vulnerabilities and remediation. Patch prioritization and automation applications are available in the CrowdStrike Store.

Learn more about CrowdStrike Falcon^® Spotlight^TM vulnerability management solution by visiting the webpage.

Visit CrowdStrike’s central COVID-19 hub for guidance on how to best protect your organization during these unprecedented times: CrowdStrike COVID-19 resource webpage.

Download the complete Services report for more observations gained from the cyber front lines in 2019 and insights that matter for 2020: CrowdStrike Services Cyber Front Lines Report.

Additional Resources:

• Watch an on-demand webcast that takes a deep dive into the findings, key trends and themes from the report: CrowdStrike Cyber Front Lines Report CrowdCast.
• Read a report overview by CrowdStrike CSO and Services President Shawn Henry.
• Learn more about the CrowdStrike Services team and how it can help your organization improve your cybersecurity readiness by visiting the webpage.
• Learn more about the powerful CrowdStrike Falcon® platform by visiting the webpage.
• Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.