On November 3, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a binding operational directive (BOD) that federal government organizations must patch approximately 300 specific software vulnerabilities that are known to be actively exploited by cybercriminals — a list that will be continually updated. While private-sector organizations do not face this mandate, CISA "strongly recommends" that they do the same.
This action is another in a series of federal directives over the past several months. They follow a comprehensive White House executive order (EO) issued in May that laid out a comprehensive vision of cybersecurity and called for "bold changes and significant investments" to bolster cyber defenses. A big focus of the EO was protecting the software supply chain.
Increasing Importance Of Application Security
This focus on protecting applications is well-founded. According to recent research by the Ponemon Institute and IBM, 42% of companies that experienced a data breach discovered that the cause was a known but unpatched software vulnerability. This means that nearly half of incidents where data was compromised could have been prevented if organizations had kept up with their patches.
In some ways, I think this problem has caught many practitioners off guard over the past several years. Many organizations have largely ignored patching over the years — or, at least, have not made it a top priority. An Outpost24 study found that only 47% of organizations apply patches immediately, while 28% do so monthly or even less frequently.
This may have been reasonable when corporate networks were "walled gardens" where everything important was inside a firewall. However, in case you haven't heard, many have Internet of Things (IoT) devices outside the perimeter that generate data — and sometimes even process it — at the network edge.
Challenges For Smaller Organizations
The fact that so much corporate traffic and so many resources are now outside the firewall means that timely management of software vulnerabilities is more important than ever. However, this is easier said than done. For small and midsize businesses (SMBs) and smaller enterprises, the challenge of patch management can be especially daunting.
One problem is resource bandwidth. Many don't have a large enough IT or security team to dedicate a team member solely to patch management. Many smaller organizations still manage IT with a one-man shop or a very small team.
Another challenge is that servers typically require being shut down for patching to take place. While scheduled patches can be automated and set for the wee hours of the morning, it is often critical that emergency patches be applied immediately. Smaller organizations may not have robust failover capabilities that keep applications up and running when an emergency patch must be applied.
Further challenges exist for organizations that develop applications in-house or customize their commercial off-the-shelf (COTS) software. A typical application these days contains dozens of open-source libraries and frameworks, creating complex dependencies that make it difficult to keep up with published patches and updates. Often, responsibility for patch management at such organizations falls to the development or DevOps teams, which are also under pressure to crank out applications more quickly than ever before. Again, the danger is that patching can be deferred because it does not appear as urgent as other tasks.
What Organizations Can Do
Whether they manage specific applications in-house or use a managed services provider (MSP), organizations need to make patching and vulnerability management a priority to ensure that updates are completed in a timely manner.
Organizations that manage their applications in-house will likely need to invest in additional people and tooling to accomplish the required tasks. It is critical that they understand their application inventory, relative risks between different pieces of software and the current patching and vulnerability status for all assets. In most cases, organizations should dedicate specific headcount to patch management — or at least dedicated time on a team member's calendar that cannot be reallocated.
Companies using an MSP should ensure that timely application of patches — including for emergency patches that are not within the regular cadence — is included in the service contract. If it is not, organizations should renegotiate those terms or find another MSP that is able to provide the service.
Whether management is performed internally or externally, organizations should also ensure that their infrastructure is up to the task over time. Organizations need highly available systems that enable on-demand patches. For example, deploying applications on an autonomous operating system with an autonomous database enables patching to take place while the application is running, eliminating the need to shut it down during maintenance.
Moving From Reactive To Proactive
Ironically, it is the announcement of new patches that often tips off cybercriminals of specific software vulnerabilities. They exploit these vulnerabilities quickly, knowing that a big percentage of organizations won't deploy the patch right away. This means that many vulnerabilities are more exploited after a patch is available than before.
Patching critical systems in a timely manner is a proactive effort that prevents attacks from being successful. It is time for every organization, regardless of size, to make it a priority.