The security world is on fire, and the source of the conflagration isn’t just the deadly Omicron variant. Companies are racing to patch what has been called the worst cyberattack in history, the zero-day exploit known as Log4j. Potentially hundreds of millions of computers are at risk, government officials have warned, and sophisticated, state-sponsored attackers are racing to exploit these newfound vulnerabilities.
The race to patch systems and evade a wave of attackers could not come at a worse time. The enormous shift to remote work during the COVID-19 pandemic has increased the complexity of software patch management. And in record time.
“It has been more difficult to patch as a result of people being at home,” says Nicole Ford, chief information security officer (CISO) at Carrier, the air-conditioning giant located in Palm Beach Gardens, Fla. “We have a proliferation of devices that people use now that they are remote. We need more visibility into these devices.”
In the remote workplace, employees collaborate across sometimes great distances, and they gain access to corporate networks, data, and services using a range of devices, many of them not secure. As a result, 57% of IT and security professionals said remote work makes patching more complex, an October survey by Ivanti found. In general, 71% view patching as overly complex and time-consuming.
So while the government is asking organizations to rev into patching mode at warp speed, the reality is that— thanks to COVID and so many of us working from home—many businesses and government agencies are finding the process more difficult than ever. The Log4j emergency highlights the vital need for organizations not just to patch but also to have a calibrated patching strategy in place, one that incorporates both protective monthly routines and emergency task management.
The need for a reinvigorated vision of patching is relatively new.
“Patching has become significantly more complex because the attack surface area has gone up so much,” says Phil Reitinger, president and CEO of the Global Cyber Alliance, a former CISO at Sony, and a top cybersecurity official in the Obama administration. He says the old paradigm was that everyone showed up at work, turned on their desktop computer, and remained inside the corporate perimeter all the time. “That is just completely gone,” he says. “The pandemic accelerated the movement away from a parameterized network by a significant order of magnitude.”
Serguei Sviatyi, cloud administrator at Pennsylvania-based IPS-Integrated Project Services, a technology consulting firm, agrees.
Patching has become significantly more complex because the attack surface area has gone up so much.
“Work from home and remote work have brought a real and significant shift in the way medium- and large-size companies have to think about and perform patching,” he says. “Almost all of our endpoints and workstations now are outside of the protections corporate networks offered. This makes it harder to reach and verify that computers have been patched.”
Patching is often seen as one of the simplest and best weapons to combat cybercriminals. It can be tricky in practice, however. Hackers take full advantage of slow patch management systems. Meanwhile, fully automating patching systems can seem like a good idea in terms of speed, but it can have drawbacks.
Sometimes the patches that software companies release are themselves problematic, and it can be hard to mitigate their negative side effects effectively with fully automated processes. The preferred middle path is to automate most aspects of monthly patching while still testing sufficiently before patch rollout.
How to fix the patching crisis
To address these challenges, companies can approach patching in three ways, according to Sviatyi. Each of them entails some positives and negatives.
The first approach: “Roll your own infrastructure and manage the patching,” Sviatyi says. The upside is that you do not rely on outside parties and have full patching control. “The downside is that there is significant investment in infrastructure and qualified engineering required to pull this off successfully,” he says. “This is made even harder by having to do patching on a monthly or even weekly basis.”
A second approach: Outsource the patching task to external providers. This strategy is helpful if the organization does not have internal resources to properly set up and maintain infrastructure.
But that also means the organization must give significant access privileges to a third party. That can lead to breaches. “As incidents with SolarWinds and Kaseya show, that reliance and trust could be exploited by threat actors with devastating effect,” Sviatyi says.
The third and most effective approach: automated patch management. Patching one piece of software is a relatively simple process. But when your environment includes hundreds or thousands of devices with software and systems that are physical, virtual, and cloud-based, you need something more effective.
Automated patch management allows businesses to scan their network environments for devices and applications with missing patches, automatically downloading patches that are released by application vendors and deploying other patches based on a variety of deployment policies. These capabilities allow organizations to quickly patch full environments, reduce the patch window, and minimize risk exposure.
While these processes can be performed manually, it’s not recommended. Not only do manual processes stress an already strained IT team, they often introduce errors and are an ineffective use of time. In fact, 60% of businesses report that IT security spends more time navigating manual processes than responding to vulnerabilities, which leads to an insurmountable response backlog.
Patch management is critical in ensuring that vulnerabilities don’t go unaddressed. While a more secure environment is the main reason why many organizations adopt a patch management solution, it has other benefits, too. These include:
- Improved productivity. Patching ensures that your software is functioning correctly and efficiently.
- Regulation compliance. Implementing patch management is commonly required by a number of security frameworks or standards. If an organization isn’t patching, it could be subject to fines from regulators.
- Accelerated innovation. Patching provides organizations with a way to deploy updates to improve their own software features and functionality. In a competitive business environment, any innovation advantage is a value-add.
It takes a team
J. Michael Daniel, who was cybersecurity czar to President Obama and is now CEO of the Cyber Threat Alliance, says organizations should launch an education plan to get everyone on board with the importance of patch management. “Members and employees should be encouraged to update their devices,” he says. “Devices have to be updated if they are going to be connected to the system.”
At the same time, technologists in organizations need to assess the optimal time to patch. “An update can’t come in the middle of the day during important client meetings,” Daniel says. “You can’t interfere with business operations.”
A lot of large businesses inevitably end up writing ‘glue code’ to move data from different software providers.
For smaller organizations, the move to a continuous update and patching cycle will result in better protected systems overall, Sviatyi says. “Those companies generally don’t have staff and resources to dedicate to rolling out updates.”
New patching strategies can also reduce workloads for providers that support small businesses. That lets them simply check for patching status instead of pushing patches and fixes. For big organizations, the situation may be different.
“A lot of large businesses inevitably end up writing ‘glue code’ to move data from different software providers,” Sviatyi says. Such code can rely on an API and scheduled tasks to avoid duplicating data or even to perform critical functions. That means large businesses may hesitate to upgrade.
If organizations use software that has a discovered vulnerability every month, but a fix is only offered in a new version, they may have to rewrite their digital code to ensure the latest protection.
“Companies end up locked into insecure software due to the lack of available resources to change internal processes and techniques,” says Sviatyi. “Work from home has made protecting [software] even more difficult.”