If you haven’t heard of risk-based patch management (RBPM), it is emerging as an approachable, logical and effective strategy in today’s volatile cybersecurity environment. And “volatile” might not even be a strong enough word.
How did we get here? Digital transformation and the shift to a remote and hybrid workforce has created tremendous opportunities for workers and employers alike to expand their geographic reach and rethink traditional business structures. Unfortunately, it has also created tremendous opportunity for cybercriminals to capitalize on this same shift, which has often been made without best practices and standards in place.
With these challenges in mind, the National Security Agency (NSA), Cybersecurity & Infrastructure Agency (CISA) and Federal Bureau of Investigation (FBI) just released a Cybersecurity Advisory urging organizations to:
• Apply patches as soon as possible.
• Disable unnecessary ports and protocols.
• Replace end-of-life infrastructure.
• Implement a centralized patch management system.
This advisory comes as cyber actors, including state-sponsored actors, “continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure.”
While cyberthreats rapidly increase, IT staffing shortages are creating an impossible situation where fewer people face more workload. Many IT teams have fallen into one of two camps:
1. Try to patch everything—or at least as much as possible.
2. Realize it’s impossible to patch everything and give up on patching entirely.
The first strategy quickly leads to burnout and, since it’s essentially impossible to patch everything, your team might spend lots of time on a minor threat while never getting around to patching what turns out to be a big one.
The second strategy is clearly not a viable solution, but it’s understandable that so many IT teams are throwing up their hands in the face of mounting opposition. With vulnerabilities tied to ransomware increasing by 29% over last year, according to my company’s research, doing nothing simply isn’t an option.
What Is Risk-Based Patch Management?
Fortunately, RBPM offers a third option: taking the high-percentage-shot. Here are four reasons why RBPM is gaining traction as a beneficial approach for businesses:
1. RBPM is a pragmatic alternative to the “all or nothing” pitfalls described above. It’s not about chipping away at the mountain of threats indiscriminately, nor is it about ignoring the threats and hoping they go away. Just like it sounds, RBPM entails strategic patching based on risk, making it a strategic middle ground.
2. RBPM is contextualized and tailored. It’s not the same for everyone; an organization’s strategy is based on the combination of external threat information and vulnerabilities plus the unique security environment within the company itself. This makes it even more effective, because it’s not a blanket solution that can be easily circumvented by hackers once they figure out the way one company does it.
3. RBPM is faster and more efficient than other patch management strategies. With new threats cropping up constantly—and successful breaches wreaking havoc nearly instantaneously—speed is everything.
4. Finally, RBPM offers an opportunity to dismantle the often siloed security and IT operations departments. Since internal security environments and external threat evaluation are both essential components of RBPM, these departments can work cross-functionally to enhance each other’s work.
This, of course, is just a partial list. At the most basic level, RBPM ind
icates which threats should be moved to the top of the priority list, so IT teams can make the best use of their time while addressing threats that are, statistically speaking, of the most concern. Thus, in addition to mitigating more important threats, RBPM has the very real benefit of making IT feel like they’re gaining real ground (because they are), which impacts morale and offsets some of the burden of being understaffed and overwhelmed.
RBPM Best Practices
In order to get started with a RBPM strategy and solutions, companies will need to understand how to rank and respond to risks. In order to do so, they should:
• Conduct asset discovery to identify the endpoints and users currently in play. After all, you can’t patch what you don’t know about.
• Ensure that everyone can access the same information. RBPM efficiency hinges on synchronicity between all parties, especially IT ops and security teams.
• Reduce the maintenance cycle by prioritizing vulnerabilities and working on the most critical ones up front—with IT ops and security teams operating in parallel, using the same methodologies to prioritize risk.
• Identify key stakeholders who can serve as pilot groups to prioritize and test patches. Pilot groups provide more accurate real-world information than can be gleaned from a controlled, test lab environment.
• Consider automation options. Automation delivers a major win for RBPM, offering collection, contextualization and prioritization much faster and more accurately—with fewer resources tied up—than manual RBPM solutions.
Along with automation capabilities, you should consider a number of other elements with an RPBM solution, such as customizable dashboards, an alert system and a clear risk rating system. You will need threat insights with real-world context and the ability to consider unique risk factors. The solution should also offer heterogenous support that covers different operating systems. Finally, of course, data is paramount. Ask potential platform vendors whether the solution offers diverse and custom data sources that can incorporate manual findings.
Optimally, RBPM is part of a comprehensive risk-based vulnerability management program. This type of program can cut data breach incidents within an organization by 80%. It’s a relatively simple reframing of patch management with the potential for major results. More importantly, IT teams need to move from a check-the-box treatment of device/infrastructure patching to a we-can-prevent-disasters-effectively operating model. That’s what RBPM can give you, and it’s time to take it seriously.
Courtesy- https://www.forbes.com/sites/forbestechcouncil/2022/08/19/how-risk-based-patch-management-can-help-overcome-the-overwhelming-wave-of-cyber-threats/?sh=e833ae41e843