Patching is a thankless task. It’s unpredictable and unending, with new vulnerabilities rolling down the pipeline every single day. Security teams are all too often simply expected to brute-force their company out of flaws, but this approach has been shown as unsustainable time and time again. FortiGuard’s new report, alongside virtual patch tools such as Runtime Application Self Protection (RASP), is finally paving the way to efficient patch prioritization.
How Patching Became A Nightmare
The National Vulnerability Database (NVD) is a rapidly-growing list of production vulnerabilities maintained by the US government. Greatly reliant on the global Common Vulnerabilities and Exposures (CVE) list, both of these databases share the same common goal: to publish and educate on current cybersecurity threats.
Though a lofty aim, threat lists used by organizations around the world are bursting at the seams. Their use as tools to help fix high-stakes vulnerabilities is greatly hampered by one thing: in the first quarter of 2022 alone, the NVD database grew by 8,051 entries. That’s 90 new bugs every single day – itself an astonishing amount, but also indicative of a wider trend. Vulnerabilities are increasing exponentially, with 2022’s Q1 seeing a 22% increase over the same time period last year.
Although the visibility of exploits is at an all-time high, this has not translated to more secure organizations. Instead, the opposite seems to be true. Reports focusing on real-world vulnerability management are dire: organizations are still taking almost two months to remediate even the most critical bugs. Meanwhile, the average mean time to remediate (MTTR) is stuck stubbornly at 60 days. Over half of vulnerabilities are not even discovered for years – and 17% of vulnerabilities had been sitting within the tech stack for over 5 years.
5-year-old vulnerabilities are a symptom of the problem. Alongside acting as a ticking time bomb, these bugs also have wider ramifications on a regulatory field that an organization must adhere to. The vast majority of these flaws completely invalidate payment card industry (PCI) compliance, representing serious regulatory issues for e-commerce and fintech businesses alike.
Known Flaws Are the Problem: Prioritization Is the Answer
The shift toward WFH and the ever-expanding hodgepodge of cloud-based and hybrid systems has exacerbated the issue facing many organizations: a bloated, swollen attack surface. Defending all of this at once is a task that would stress even the most well-equipped industry – never mind a field that is chronically short-staffed. The ugly truth is simply that exploits will always outstrip the patching process. In an effort to make patching more efficient, most teams have chosen to prioritize following each exploit’s Common Vulnerability Scoring System (CVSS) score. This provides a snapshot, a numerical representation of each vulnerability’s severity. Following this methodology, a CVSS score of 9 will always be patched before that of 5.
However, CVSS scores are just that: base scores. They may represent the severity of a vulnerability, but they include no information as to whether this risk poses a threat to your own environment. This way, some cybersecurity teams are left patching 9s that offer no real-world risk of exploitation, while overlooking 7s that may be a ticking time bomb. Instead of adhering to an incomplete view of vulnerabilities, efficient patch prioritization requires the savvy cybersecurity team to think like a cybercriminal. The data is there to support this philosophy – throughout 2021, cybercriminals overwhelmingly focused on endpoint exploitation. It’s easy, highly replicable, and allows for exploiting the swollen perimeter.
Cybercriminals are highly dependent on already-existent exploits. Replicable strings of code are great for illicit ROI and are as easy as copying and pasting, then switching a few parameters. This is why patch prioritization is evolving, increasingly looking at data surrounding the exploitation of endpoints.
By combining IPS activity, with endpoint detection data, DevSec teams are armed not just with flat lists of new vulnerabilities but are offered a three-dimensional view into the goals and tactics used by their adversaries. This allows for reactive, agile defensive actions, as endpoint detection can help remediate compromised devices whilst an attack is still in its early stages.
How Virtual Patching Can Take the Pressure Off
‘Virtual patching’ describes security policies that can be placed adjacent to vulnerable software. RASP is one such example – this wraps around the application itself, monitoring its internal behaviors. By analyzing its normal inputs, outputs, and mechanisms, RASP can then automatically detect and shut down suspicious or unexpected behaviors. Virtual patching is empowering DevSec teams to take patching on their own terms. With the immediate danger of exploitation removed, it’s possible for DevSec to take enough time testing and applying permanent patches, helping guarantee that the application is protected. Alongside buying this additional time, virtual patching also allows mission-critical systems to remain online. More freedom is granted for you to enforce patch management in your own time. This, in turn, also mitigates the lost revenue, broken SLAs, and downtime faced by briefly taking systems offline.
Virtual patches also greatly improve regulatory compliance. Many organizations face the intensely-tight industry deadline of 72 hours to implement patches. The PCI’s regulations are tight, as are the ones imposed by The European Union’s General Data Protection Regulation (GDPR) act.
At the moment, many of these organizations are simply trying – and failing – to keep their heads above the murky waters of non-compliance. It’s not just short-term time restrictions that virtual patching helps to solve, either. Legacy components in IT infrastructures are all too common; the process of updating these often outstrips the company’s own abilities and budget to do so. Instead of relying on chronically unsupported and unpatched software, organizations can have the best of both worlds. Finally, virtual patching provides flexibility. By reducing the need to roll out emergency and last-minute patches, your DevSec teams can breathe a sigh of relief, as they no longer need to gauge the specific points in the network that need individual patches.
Now, instead of the focus being placed on the millions of exploits drifting around the ecosystem, security can zone in on the real-world exploitation of such. Approaching patching from this new standpoint helps transform your patching into an efficient, adaptable, and future-proof process.
Thanks for reading!!