Abhilash Radhadevi is a Cyber Security Leader with more than twenty years of combined experience in the Banking, Energy, and Technology services industries. He is skilled in Information & Cyber Security transformation programs covering security projects and Operations, assurance, and GRC (Governance, risk, and Compliance). He has a proven track record of effectively managing and mitigating cyber threats for multinational organizations. Abhilash’s extensive knowledge and expertise in the field of Cyber Security have enabled him to develop and implement comprehensive security strategies and frameworks that align with business objectives and compliance requirements. Abhilash was awarded the Cyber Strategist of the year 2023 by CXO Middle East Magazine.
We live in the Artificial Intelligence era; the digital revolution is sweeping the globe, and technology is evolving at a rapid pace. Dynamic changes in technology impose a corresponding movement in Cybersecurity practices. We have AI-driven cybersecurity solutions, and many organizations are embracing next-generation tools and solutions. However certain old-school topics, the basics, are usually overlooked by most organizations.
Patch Management is one of the most inescapable and foremost facets of Cyber Security. This process has been in existence since the early 2000s. It is a defense against known vulnerabilities. The process involves the identification, testing, and deployment of security updates to hardware or software systems to safeguard against known exploits or vulnerabilities.
Hundreds of millions of customer records were exfiltrated during the infamous Equifax breach. And what caused it?
“They failed to patch a basic vulnerability.”
2 of the core statistics available on this subject are,
– More than 90% of all cyber-attacks target unpatched vulnerabilities.
– More than 80% of successful cyber-attacks use known vulnerabilities that have a patch available.
Leaving a system to malicious actors is equivalent to leaving your house key with an unknown person so he can easily come inside when he wants to.
Is patch management a difficult process to adopt? Yes, indeed. More than 70% of IT professionals find patching to be extremely complex and time-consuming. Fast-tracking these remediation actions is essential but complex; remarkably while the number of patches released every month by different software and hardware vendors keeps increasing.
CISOs and other Cybersecurity managers heading the departments are most likely busy looking into the latest technology trends and controls but end up ignoring the importance of the patch management process. This article is to shed some light on the most common challenges and their respective solutions on this subject.
1# Asset Inventory
One unpatched machine is all it takes for a threat actor to infiltrate the organization. With remote working, cloud, and geographically dispersed server and client footprints, having an up-to-date asset inventory is exceedingly challenging. Many machines are seldom connected to the corporate network. However, a perfect inventory of all software and hardware assets is essential to get insight and visibility into the entire environment. Essentially, we cannot protect what we do not know we have.
Asset management is a baseline requirement not only for patch management but for any cyber security programs looking to reduce the impact of security risks.
- Asset Management Policy: First and foremost, an asset management policy should be part of business and technology tactics since it is very significant and vital for the success of any cybersecurity program. The policy will connect the top leadership to the operation and align it with business and cyber security objectives. The inventory should be treated as the heart of any patch management initiatives.
- Automation of asset management process: Many organizations use manual processes to inventory their IT assets. But this can be extremely time-consuming and error-prone. From the technology standpoint, it is always wise to invest in automated discovery tools to build the asset inventory. To increase visibility into the digital environment, these tools should be used to continuously monitor and track the assets as well. The asset management system should be centrally deployed to be able to reach the entire dispersed network that may span across several geographical locations including remote offices, remote workers, cloud, and data centers.
2# Coordination and Communication
Patch deployment involves multiple personnel including security, application, infrastructure, and business teams. To complete the deployment promptly and to minimize the risk of business interruption, proper coordination and communication will be key. E.g., different teams may have different priorities that can lead to delays in patch deployment. If not properly coordinated, the required system downtime may not get utilized disrupting the business adversely. Complex organizational structures, teams with different priorities, lack of collaboration culture, etc can all cause the patch deployment processes to fail.
- Patch Management Policy: A standard patch management policy should outline roles, responsibilities, communication etiquette, and timelines involving the entire team responsible for the activity. The policy links senior management to the process. Instead of patch management being an IT Security responsibility, the business will then be responsible for ensuring that all digital assets are updated regularly in line with the policy.
- Patch Management Team: Create a patch management team from different areas of technology and business as outlined in the policy. The communication channels and escalation procedures can then be utilized to full use. The leadership should embolden the collaboration of this team by using dashboards, status reports, training, etc.
3# System stability issues and downtime
Many of us in the technology field of work would have come across incidents of compatibility issues, performance degradation, or downtime during and after the patch deployment process. In larger organizations with several IT assets, the deployment is extremely time-consuming and requires dedicated personnel to complete the process. System crashes and data losses can occur unintentionally, which is why patch deployment becomes a daunting activity for most IT guys and leaders alike.
- Patch Testing and Automation of Patch deployment: Testing the patches in controlled environments (that mirror their production environment) is one of the best possible ways to address this issue. Set up a patch management process first and it should allow the IT team to plan, test and prioritize the deployment. For example, critical patches could be tested and deployed as soon as possible, while important, moderate, and low-severity ones can follow the schedule. To reduce the amount of time taken, to reduce the number of resources required, and to be consistent across all systems, the use of automated patch deployment tools will be most appropriate.
- Rollback plan: The patch management process should ensure that there is a solid rollback plan in place to ensure that the systems are reverted to the previous state. Keeping a full system backup or an image snapshot ready is the best way to tackle the challenge.
Although patch management is extremely important, it can become a painful task due to the complexity, resource constraints, and fear of disruption. But do not fear, use the strategies explained in this article to ensure vulnerability-related exposures are minimized according to the risk tolerance level of your organization. The importance of patch management cannot be overstated since the threat actors are constantly looking for vulnerabilities in software and systems.
In essence, we should be focusing on building a comprehensive cybersecurity strategy by following the latest trends such as AI but without forgetting the essentials such as patch management. Let us fix the basics first while investing in the latest technology controls.