Organizations are facing a cyber threat landscape where cybercriminals have access to an ever-increasing number of potential attack vectors. Each year, tens of thousands of new software vulnerabilities are discovered and disclosed, more than any organization could effectively manage.
Protecting against cyber threats in a time of rampant vulnerability growth requires a more intelligent approach to patching. By properly prioritizing patches, based upon cyber threat intelligence, it is possible for organizations to patch vulnerabilities before they are exploited without becoming overwhelmed.
The Growing Threat of Software Vulnerabilities
Software vulnerabilities are growing increasingly common. The reason for this is the rapid growth of the amount of software in production use today. The average rate of programming errors within an application is affected by a number of different factors, including the programming language in use (some have built-in protections for certain vulnerabilities), the experience of the developers, and the maturity of the organization’s software review and quality assurance program.
While the use of a more secure language, experienced developers, and strong DevSecOps practices can help decrease the number of bugs in the code that an organization produces, it does not eliminate them entirely. While exploitable vulnerabilities are only a subset of these programming errors, they are still plentiful in production code.
This fact is demonstrated by the number of new vulnerabilities discovered and reported in 2019. According to Risk Based Security’s Annual Report, over 22,000 new vulnerabilities were discovered and reported that year, and a third of them were rated as “high severity” based upon a Common Vulnerability Scoring System (CVSS) score of 7 or higher.
Organizations Cannot Patch Every Vulnerability
Most organizations are not impacted by every vulnerability discovered and reported in a given year. Each vulnerability report affects a certain piece of software or product line, and an organization is only impacted if they use that software in-house. However, for each disclosed vulnerability, the workload for an organization’s in-house security team can be significant. The process of patching requires multiple stages, including identifying the existence of a vulnerability, determining if a patch is available, testing the patch, applying the patch, and testing to ensure that a patch is applied correctly.
If all of these steps go smoothly, an organization has put significant work into fixing a single vulnerability. However, things can go wrong at every stage of the process. According to Risk Based Security, over 600 vulnerabilities where a CVE identifier has been reserved in 2019 have not yet had their details publicly disclosed. Yet another large chunk of disclosed vulnerabilities does not have patches available.
Assuming that a patch is available, an organization needs to deploy it within their environment. In some cases, like critical infrastructure, a patch may break core functionality, making it impossible to deploy. In others, it may be impossible to deploy patches in an automated fashion, requiring the security team to patch hundreds or thousands of machines manually. Finally, a patch may not apply correctly, meaning that the security team must work to identify the issue, fix any new issues created by the broken patch, and reapply it.
Scalable Vulnerability Management Requires Prioritized Patching
For most organizations, patching every vulnerability within their network is not a feasible solution. However, it may not be necessary to do so. The existence of a vulnerability, in and of itself, is not a huge problem for an organization. The problem begins when a cybercriminal attempts to take advantage of an unpatched vulnerability in order to gain access to an organization’s systems and network.
From a security perspective, the most important thing is that the organization patches a vulnerability before it is exploited. For the 62% of new 2019 vulnerabilities for which no exploit or proof of concept (PoC) is known to exist, patching the vulnerability may not be necessary.
Determining which vulnerabilities to patch and in what order requires access to robust cyber threat intelligence. In many cases, it is obvious which vulnerabilities are actively exploited in the wild. For example, the EternalBlue SMB vulnerability used in the WannaCry ransomware attacks and the Apache Struts vulnerability exploited in the Equifax hack were both known to be actively exploited in the wild for months before these events occurred.
However, for other threats, or to get ahead of the curve, more granular data may be required. For example, access to a cyber threat index may indicate that cybercriminals are focusing their efforts on cross-site scripting (XSS) vulnerabilities in order to spread payment card skimming malware. If this is the case, organizations should focus their patching efforts on XSS as well.
A Scalable Approach to Vulnerability Management
With over 22,000 new vulnerabilities in a year, most organizations are incapable of keeping up with patching all of the new vulnerabilities discovered in their systems. A different, more scalable approach is required. Part of this is deploying the right tools for the job. Security solutions like a web application firewall (WAF) and runtime application self-protection (RASP) can perform “virtual patching”, enabling an organization to protect applications against attack without going through a lengthy patching process.
The other half of scalable vulnerability management is properly prioritizing patching. By taking advantage of threat intelligence, an organization can determine the vulnerabilities most likely to be exploited by an attacker and patch those before they are used rather than wasting precious resources on vulnerabilities that cybercriminals are more likely to overlook or ignore.