Threat Trends | 4 mins

Zero days aren’t your top concern: A patch management strategy is

On average, it takes organizations 106 days to patch a vulnerability, with 68% of all cyberattacks exploiting vulnerabilities that have had a patch available for over a year. One of the biggest concerns for most security teams is zero-day vulnerabilities, which leave organizations scrambling to fix them before being exploited by threat actors. How can you prioritize your patching to ensure a strong security posture? The answer lies with the right patch management strategy (PMS).

The problem in chasing zero-day headlines

One of the organizations' biggest challenges is the volume of vulnerabilities that need remediating. A record-breaking 25,059 CVE records were published in 2022, an increase of approximately 25% in 2021. Among those, the past two years saw a record-breaking number of zero-day exploits.

However, research by Google Project Zero reveals that half of the 18 zero-day vulnerabilities discovered in the first half of 2022 are closely related to existing vulnerabilities. “When people think of zero-day exploits, they often think that these exploits are so technologically advanced that there’s no hope to catch and prevent them. The data paints a different picture,” quotes the Project Zero team. “At least half of the 0-days we’ve seen so far this year are closely related to bugs we’ve seen before”. 

To back this finding further, research from the University of Trento indicates that if organizations implement just 12% of all possible patches, restricting themselves only to those that fix publicly known vulnerabilities, this is as effective at preventing compromises as patching 100% of vulnerabilities. 

A diagram showing patching the right 12% of vulnerabilities has the same protection from being breached as patching 100% of them.

So the problem is not to patch the latest zero-day vulnerabilities but to prioritize patching those vulnerabilities that pose the real threat to your environment. The question is, which patches should make up the 12%? Which are less of a priority and can be deprioritized, without materially increasing the likelihood that you’ll suffer a cyberattack? 

What is a patch management strategy?

PMS refers to the process of identifying and prioritizing security updates. With the threat landscape constantly evolving, regular patches are required to safeguard against known vulnerabilities. 

However, due to the huge volume of patches, it simply isn’t possible to patch every vulnerability affecting your software. Some vulnerabilities will be more dangerous than others, such as those targeting your critical systems, enabling the theft of sensitive data, or affecting more than one asset, increasing the attack surface. 

To identify which patches to prioritize, organizations have to learn how to focus their time on the risks that are most likely to be exploited by threat actors. That’s the only way to effectively close down vulnerabilities in an age of limited cyber defense resources.

The benefits that you’ll unlock through an effective PMS include:

  • Reduced risk: PMS prioritizes patching vulnerabilities based on the true risk they pose to your organization. This will minimize the likelihood of a breach and associated damages. 

  • Boost productivity and efficiency: Patch management not only ensures your software is secure, but it also helps it to work as it should. Smooth-running software improves user experience, reduces downtime, and, as a result, increases productivity.

  • Improved functionality: An effective PMS allows you to innovate without fear. New features can be launched safely in the knowledge that any critical vulnerabilities will be quickly identified and patched.

How to create an effective patch management strategy

3 out of 5 organizations that have been breached say it occurred because a patch was available for a known vulnerability but not applied. To ensure your PMS is plugging the security gaps that really matter – rather than chasing some arbitrary zero-day latest headlines – you need to contextualize and prioritize your risks. 

Besides simply scanning for vulnerabilities, you need to identify where vulnerabilities represent risks. Context is everything to prioritize risks. Security teams should better understand the mentality of a real-life threat actor, how they operate, as well as the direct impact of a vulnerability. 

Ideally, your PMS will understand the context around your vulnerabilities, considering the link between your vulnerable assets. For example, two low-risk vulnerabilities might have a higher criticality when viewed in conjunction. A great source for security teams to consult when weighing up priorities is the Stakeholder Specific Vulnerability Categorization (SSVC) methodology.

Don’t patch more, patch better

Not all risks are equal. Some, like those that are publicly known, could derail your entire organization. Others, may not threaten your critical processes. Firms should implement a data-driven patch management strategy to properly contextualize and prioritize their vulnerabilities. 

Get in touch with Hadrian to learn how to assess which vulnerabilities should be patched as soon as possible and which can be left a little longer depending on the resources at your disposal. The effective prioritization of patching can result in a strong security posture as part of a holistic view of your attack surface. 

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example