Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying patches and updates quickly and regularly. Patching for known vulnerabilities is about as standard as it gets for good cybersecurity hygiene, right up there with using multi-factor authentication and thinking before you click on links in emails from unknown senders.
So imagine my surprise when attending Qualys QSC24 in San Diego to hear a number of conference speakers say that patching shouldn’t be an automatic reaction. In fact, they say, there are times when it is better not to patch at all.
No, you don’t need to fix everything, says Dilip Bachwani, Chief Technology Officer with Qualys.
“It’s not practical,” Bachwani adds. “Even if there is a vulnerability, it may not apply in your environment.” It could be an application that isn’t an internet-facing asset or something secured through other controls.
Knowing your risk factor
The knee-jerk reaction when a new patch is released is to get it installed as quickly as possible to prevent a vulnerability from turning into a cyber incident. However, Bachwani and his Qualys colleagues stress that security teams need to take a step back and evaluate their organization’s risk threshold.
What that evaluation will first discover is a lot of vulnerabilities across their infrastructure. A study by Coalition expects the total number of common vulnerabilities and exposures (CVEs) to increase by 25% in 2024 to 34,888 vulnerabilities, or nearly 3,000 per month.
“New vulnerabilities are published at a rapid rate and growing,” Tiago Henriques, Coalition’s Head of Research, says. “Most organizations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk.”
With the steady increase in the number of CVEs, it is easy to think that every vulnerability is critical — and if every vulnerability is given an equal risk value, patching becomes overwhelming. The researchers at Qualys recommend prioritizing the risk involved with each vulnerability so that you can determine what should be patched first and what might not need to be patched at all.
How to prioritize your organization’s vulnerabilities
To prioritize vulnerabilities, it requires knowing all of your assets across the organization and identifying and monitoring the attack surface. However, Qualys research found that only 9% of companies are actively monitoring 100% of their attack surface. Shadow IT, third-party vendors and risks, a digital transformation made too quickly and without an assessment of technologies and assets added and not recognizing emerging threat vectors are just some of the reasons why organizations are unable to properly monitor their attack surface.
Deploying an attack surface management program will identify what technologies are attached to your network and where and what assets need protection. The critical requirements of an attack surface management program are:
- Visibility across hybrid IT
- Dynamic cybersecurity needs with rapid identification
- Unauthorized software tracking in real-time
- Finding and remediating blind spots
The more familiar you become with the systems accessing your network, the easier it will be to know your corporate assets and prioritize their importance. When levels of risk tolerance are assigned to these assets, it will then be easier to prioritize critical and non-critical vulnerabilities to be patched or, in some cases, not patched.
Explore vulnerability management services
When to slow down the patching process
Patching protocols should be unique to your organization, based on your internal measures of mission-critical and risk tolerance. Whereas one organization may decide that the most critical vulnerabilities must be patched immediately, another may find that seven days is the ultimate time frame to reduce risk for the most important assets. Patch management programs will tier their assets, beginning with the most critical and can’t afford downtime if something goes wrong and down through secondary tiers with longer wait times.
But there are times when it is smart to slow down or even eliminate the patching process. They include:
- An important and time-sensitive project is in progress and requires uninterrupted computer time
- Reports of bugs in the patch or it creates compatibility problems with the application in a testing sample
- The vulnerable software is limited in scope within the organization and can be isolated
- Other mitigating controls can be put in place
- The application never uses the functions with the known vulnerability
- The costs of patching outweigh the benefits. If the code is outdated and needs to be rewritten, for example, then it doesn’t make sense to take the time and expense to apply the patch.
Cybersecurity insurance and patching
With the increase of CVEs and the always looming threat of a cyber incident, many organizations are looking at how to maximize their cybersecurity insurance. With the strict rules and audits in place to be eligible for cybersecurity insurance, is taking an approach to only patch when it is truly necessary going to downgrade your organization with insurance companies?
Bachwani says no. “I actually think a solution like this will enable cyber insurers to be more effective.”
The way the insurance marketplace works today is that it is less focused on the company’s internal data and more on the organization’s overall cybersecurity posture.
“If I’m able to clearly demonstrate that we internally have really good hygiene, my insurance should be lower,” says Bachwani.
To patch or not to patch?
In the end, the decision on whether or not to patch will come down to one singular issue: What is the value to the business by patching or not patching? And that is determined by the organization’s risk tolerance. Recognizing the consequences of downtime or a cyber incident will help prioritize critical vulnerabilities that require time and resources to patch. But also being willing to accept that you can’t patch everything will give your team the space to focus on bigger risk threats.
