Security and risk leaders should tie vulnerability management practices to their organisation’s specific needs, not a mythical standard.
It might be possible to patch every Windows system at a large global bank within three days, but the business disruption required would probably be unacceptable.
So, what is a reasonable time frame for fixing security vulnerabilities?
A bank in Brazil, a retailer in Singapore and a government agency in the US would each have different answers to this question, as the threat landscape is different for every organisation. Perceived “industry standard” vulnerability remediation time frames do not account for organisation-specific constraints, technology cohabitation considerations, internal policies or external compliance requirements.
The real-life situation is much more nuanced. What’s important is turning ‘whether a platform gets patched’ into ‘whether the specific risk of platform vulnerability has been sufficiently mitigated’.
This requires that organisations take a more structured risk- and fact-based approach to vulnerability management as part of an overall security program.
How fast is fast enough in vulnerability management?
The sheer volume of reported vulnerabilities means that organisations are challenged to remediate them in appropriate time frames.
ALSO READ: “Digital transformation can no longer be purchased overnight,” says Gartner
Based on how fast vulnerabilities can be exploited, organisations must be prepared to perform emergency remediation on key systems within hours of a vendor releasing a patch to address a vulnerability, as well as heavily invest in mitigation measures. They must also continue to refine their remediation process maturity to achieve nonemergency remediation across all system types within weeks, rather than months or years.
Gartner recommends four best practices to operationalise effective remediation time frames.
1. Align vulnerability management to risk appetite
Every organisation has an upper limit on the speed with which it can patch or compensate for vulnerabilities. This is driven by the business’s appetite for operational risk, IT operational capacity/capabilities and its ability to absorb disruption when attempting to remediate vulnerable technology platforms.
Security leaders can align vulnerability management practices to their organisation’s needs and requirements by assessing specific use cases, assessing its operational risk appetite for particular risks or on a risk-by-risk basis, and determining remediation abilities and limitations.
Craig Lawson, VP Analyst, Gartner
2. Prioritise vulnerabilities based on risk
Organisations need to implement multifaceted, risk-based vulnerability prioritisation, based on factors such as the severity of the vulnerability, current exploitation activity, business criticality and exposure of the affected system.
“One of the biggest changes you can make is to focus on the vulnerabilities that are being exploited in the wild. That should be the No. 1 goal and will drive down the most risk the fastest.
3. Combine compensating controls and remediation solutions
By combining compensating controls that can do virtual patching like intrusion detection and prevention systems and web application firewalls with remediation solutions like patch management tools, you can reduce your attack surface more effectively while having less operational impact on the organisation. Newer technologies like breach and attack simulation (BAS) tools also provide insight into how your existing security technologies are configured and whether they are capable of defending against a range of threats like ransomware.
Often, it’s simply not possible to patch a system if, for example, the vendor has not yet provided a patch, the system is no longer supported or for other reasons like software compatibility. Highly regulated industries also have mandates that can restrict your ability to perform functions like patching.
Patching isn’t everything. It’s hard, can break things and takes time. Have a plan B — you need more arrows in your quiver than just patching.
If you do a better job with your vulnerability management program, you can reduce your attack surface substantially. This allows you to present as a harder target for a threat actor to try to gain some leverage inside your environment. That’s why this is a big deal.
4. Use technologies to automate vulnerability analysis
Improve remediation windows and efficiency by using technologies that can automate vulnerability analysis.
Review your existing vulnerability assessment solutions and make sure they support newer types of assets like cloud, containers and cyber-physical systems in your environment. If not, augment or replace the solution.
