Risk-based vulnerability management for effective patch management
Estimated reading time: 5 minutes
Vulnerability management is the need of the hour now, observed Srinivas Mukkamala, CEO of RiskSense.
The deluge of news about ransomware and supply chain attacks shine a spotlight on vulnerabilities as one of the attack vectors hackers are exploiting to break into IT environments.
It’s not just about the bad guys entering your IT environment to steal or compromise data. Sri wanted to point out that there is very real impact to supply chain that can disrupt delivery of products and services by food vendors, fuel stations, hospitals, and more, to consumers like you and me.
Table of contents
This is due to unpatched systems that allow hackers to exploit the vulnerabilities they expose. Cyberattacks like ransomware also start to become prevalent because after incident response (IR) and recovery, there is usually no remediation. Vulnerabilities usually remain unpatched.
“So suddenly patch management and vulnerability management are becoming very, very important,” Sri pointed out.
As of end July 2021, Ivanti has also acquired RiskSense, enabling the integration of two capabilities that are so powerful and relevant given the current threat landscape.
That’s the beauty of it. The why, what and how is addressed by both companies coming together. The time it takes to understand the problem and act on it is now brought down to two minutes, and not hours or days.
There is also a very compelling reason for these two areas to integrate as Sri finds it helps to strengthen the WHY behind a particular machine being patched.
Sri explained, “Ivanti has the best patch management data. RiskSense has the most comprehensive vulnerability and threat data. And, you have to remember, that current patch management solutions do not have the reason, nor the context to prioritise (which machines to patch).
“That’s the beauty of it. The why, what and how is addressed by both companies coming together. The time it takes to understand the problem and act on it is now brought down to two minutes, and not hours or days.”
Managing vulnerabilities and patches together
Sri also shared about the long history of standoffs that usually occur between patch management operations and vulnerability management reports.
“There is almost always disagreement, with two different views about what is happening in the environment (that is potentially compromised). So, the patch management team has to know the vulnerabilities and threats associated with it for them to make the context-informed decision.
“Today’s solutions don’t give that context. They usually inform about which patch is missing and stops there,” Sri observed.
That’s where RiskSense comes in with their vulnerability and threat intelligence.
To be precise, there are 205,000 known vulnerabilities in the industry today.
Depending on the size of your network (and number of systems), that can go into millions or billions, Sri said.
“This means it is humanly impossible to address them, even with automation,” he added.
RiskSense takes this understanding further by also informing about all the known exploits out there on the Internet that might take advantage of that vulnerability.
So, there is a need to prioritise and as a result the idea of risk-based has come about.
Risk-based vulnerability management is all about understanding the risk of that vulnerability within your environment. RiskSense takes this understanding further by also informing about all the known exploits out there on the Internet that might take advantage of that vulnerability.
In this way, patch management will know which vulnerability to prioritise first.
Sri said, “So from the patch management perspective, it is moving to becoming risk-based as well. For example, I know have a system and I know these are the patches that are missing. But which patches if I do not fix, will pose the most risk?
“This is what people are interested in.”
The common threat in risk-based vulnerability management and risk-based patch management, is the attacker instinct, or the threat context. This will help you prioritise.
“Patching without threat-context is not effective. Yet many IT and security teams attempt to patch every vulnerability,” said Michael Montoya, a Fortune 500 Chief Information Security Officer.
“The combination of Ivanti and RiskSense is going to drive real value for organisations by enabling them to identify their prioritised vulnerability weaknesses and then accelerate remediation.”
How reliable is patching?
Sri admitted, applying patches is one of the scariest things to do on legacy systems.
“This is for a couple of reasons, for example if people left and you don’t know who developed the core system, you don’t know what the inter-dependencies are. And if you don’t know what business processes will break, you don’t want to touch that system, right?”
However Sri observed that more current systems are a lot more resilient. “Patching and patches are a lot more thought through. The vendors are testing thoroughly and doing some interesting work.
“In the past, there were challenges like systems crashing, breaking, blue screens, and all that memory wall runs… you really don’t see that (now).”
Patching and patches are a lot more thought through. The vendors are testing thoroughly and doing some interesting work.
In fact Ivanti now as part of patch intelligence will also give a patch reliability report, to inform for example the reliability in percentage, of a patch when it is applied to a certain number of assets.
“This is amazing data that they are sharing with customers. It gives some level of assurance (that things will go smoothly) and also steps to mitigate if things do not go as planned.”
“There is a perceived scare about applying patch updates, but as a professional I can tell you, you will be more at risk not patching, than patching and bringing your systems down,” Sri concluded with emphasis.