Written by Liam Ryan, the Vice President for Asia Pacific, Ivanti
If you have not heard of risk-based patch management (RBPM), it is emerging as an approachable, logical and effective strategy in today’s volatile cybersecurity environment. And “volatile” might not even be a strong enough word.
How did we get here? Digital transformation and the shift to a remote and hybrid workforce has created tremendous opportunities for workers and employers alike to expand their geographic reach and rethink traditional business structures. Unfortunately, it has also created tremendous opportunity for cybercriminals to capitalise on this same shift, which has often been made without best practices and standards in place.
According to KPMG’s Cyber Security Considerations 2022 report, a whopping 10,016 cyber security occurrences in Malaysia were reported to the Cyber999, the cyber security incident response centre operated by MyCERT (Malaysia Computer Emergency Response Team). Amongst these cyber security attacks, 71 per cent were fraud centric while intrusion attempts and malicious codes constitute the second and third top threats reported respectively.
With these challenges in mind, organisations are encouraged to:
Apply patches as soon as possible.
Disable unnecessary ports and protocols.
Replace end-of-life infrastructure.
Implement a centralised patch management system.
While cyberthreats rapidly increase, IT staffing shortages are creating an impossible situation where fewer people face more workload. Many IT teams have fallen into one of two camps:
Try to patch everything — or at least as much as possible.
Realise it is impossible to patch everything and give up on patching entirely.
The first strategy quickly leads to burnout and since it is essentially impossible to patch everything, your team might spend lots of time on a minor threat while never getting around to patching what turns out to be a big one.
The second strategy is clearly not a viable solution, but it is understandable that so many IT teams are throwing up their hands in the face of mounting opposition. With vulnerabilities tied to ransomware increasing by 29 per cent over last year, doing nothing simply is not an option.
What Is Risk-Based Patch Management?
Fortunately, RBPM offers a third option: taking the high-percentage-shot. Here are four reasons why RBPM is gaining traction as a beneficial approach for businesses:
RBPM is a pragmatic alternative to the “all or nothing” pitfalls described above. It is not about chipping away at the mountain of threats indiscriminately, nor is it about ignoring the threats and hoping they go away. Just like it sounds, RBPM entails strategic patching based on risk, making it a strategic middle ground.
RBPM is contextualised and tailored. It is not the same for everyone; an organisation’s strategy is based on the combination of external threat information and vulnerabilities, plus the unique security environment within the company itself. This makes it even more effective because it is not a blanket solution that can be easily circumvented by hackers once they figure out the way one company does it.
RBPM is faster and more efficient than other patch management strategies. With new threats cropping up constantly — and successful breaches wreaking havoc nearly instantaneously — speed is everything.
Finally, RBPM offers an opportunity to dismantle the often siloed security and IT operations departments. Since internal security environments and external threat evaluation are both essential components of RBPM, these departments can work cross-functionally to enhance each other’s work.
This, of course, is just a partial list. At the most basic level, RBPM indicates which threats should be moved to the top of the priority list so IT teams can make the best use of their time while addressing threats that are, statistically speaking, of the most concern. Thus, in addition to mitigating more important threats, RBPM has the very real benefit of making IT feel like they are gaining real ground (because they are), which impacts morale and offsets some of the burden of being understaffed and overwhelmed.
RBPM Best Practices
In order to get started with an RBPM strategy and solutions, companies will need to understand how to rank and respond to risks. In order to do so, they should:
Conduct asset discovery to identify the endpoints and users currently in play. After all, you cannot patch what you do not know about.
Ensure that everyone can access the same information. RBPM efficiency hinges on synchronicity between all parties, especially IT ops and security teams.
Reduce the maintenance cycle by prioritising vulnerabilities and working on the most critical ones up front — with IT operations and security teams operating in parallel, using the same methodologies to prioritise risk.
Identify key stakeholders who can serve as pilot groups to prioritise and test patches. Pilot groups provide more accurate real-world information than can be gleaned from a controlled, test lab environment.
Consider automation options. Automation delivers a major win for RBPM, offering collection, contextualisation and prioritisation much faster and more accurately — with fewer resources tied up — than manual RBPM solutions.
Along with automation capabilities, you should consider a number of other elements with an RPBM solution, such as customisable dashboards, an alert system and a clear risk rating system. You will need threat insights with real-world context and the ability to consider unique risk factors. The solution should also offer heterogenous support that covers different operating systems. Finally, of course, data is paramount. Ask potential platform vendors whether the solution offers diverse and custom data sources that can incorporate manual findings.
Optimally, RBPM is part of a comprehensive risk-based vulnerability management programme. This type of programme can cut data breach incidents within an organisation by 80 per cent. It is a relatively simple reframing of patch management with the potential for major results. More importantly, IT teams need to move from a check-the-box treatment of device/infrastructure patching to a we-can-prevent-disasters-effectively operating model. That is what RBPM can give you and it is time to take it seriously.
0 Comment Log in or register to post comments