7 Tips for Security Pros Patching in a Pandemic
The shift to remote work has worsened patch management challenges and created new ones. Security pros share insights and best practices.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt52534a3d4acf175b/64f0d351f1110460fa1bf32d/SSPatchingIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Patch management has historically been a challenge for IT and security teams, which are under pressure to create strong programs and deploy fixes as they're released. Now their challenges are intensified as a global shift to remote work forces companies to rethink patching strategies.
"It's a massive challenge all of a sudden," says Stephen Boyer, co-founder and CTO at BitSight. Businesses accustomed to protecting 2,000 employees across three to four offices now have to secure the same workers in 2,000 home offices. People are working on personal devices, with home routers they don't properly configure, on networks the corporation cannot manage.
Data shows home networks pose a higher security risk than enterprise networks, he continues. BitSight research shows 45% of remote office networks have observed malware, compared with 13% of corporate networks. And more industries are enforcing work-from-home policies: 84% of traffic in the US education sector shifted off-network during the fourth week of March, data shows, along with 63% of government/policies sector traffic and 35% of finance sector traffic.
"People are working on networks that aren't managed and controlled by the corporation anymore," Boyer explains. Those who do have corporate devices use them in workspaces that are "drastically different" than the environments inside a corporation. The change has been a jolt to IT and security teams, which didn't expect this level of remote work for several years and now face unprecedented challenges in buying, configuring, deploying, and patching machines.
The process of buying assets is typically a long one that is researched, vetted, planned, and executed, says Richard Melick, senior technical product manager at Automox. Laptops and desktops would arrive, and then be configured and deployed. "We skip all that now," he says. "Now it's, 'Get them a laptop so they can get back to work.'" This need to continue working remotely has created a technologically diverse environment that most IT and security pros are not used to, and the need for different configurations on different endpoints puts new pressure on teams.
"You don't necessarily have as much control as you used to," says Jon Clay, director of global threat communications at Trend Micro. The proliferation of devices across thousands of home offices has exacerbated existing patch management challenges and created new ones. Some traditional patching advice still applies in these times, and some tips are even more important.
Here, experts in vulnerability and patch management share their advice for IT and security pros struggling to patch properly throughout the pandemic. Read on to learn their tips, and feel free to share your own in the Comments section.
Dustin Childs, manager at Trend Micro's Zero-Day Initiative, says he sees many people who are reluctant to roll out patches because they're afraid something will break, they lack resources, or their responsibilities have been reassigned due to the pandemic. Many people who were working on patch management are now ensuring remote collaboration software is working, for example, or that people can access corporate resources.
"At the same time, we see people with a lot of time on their hands," he notes. Submissions for the Zero-Day Initiative are increasing and organizations like Microsoft are reporting more flaws. Between January and April 2020, Microsoft saw a 44% jump in the number of CVEs patched compared with the same period in 2019.
"Clearly, there's a lot going on, there's a lot of patches being put out," Childs says. The answer is not to abstain from patching but to approach the process in a way that best suits your business. IT and security pros should be testing patches and ensuring they can roll back to a pre-patched state if a fix doesn't work. Now, they should be able to do all of this remotely.
"If you're not patching your endpoints, you're leaving a door unlocked; you're leaving a window open," Automox's Melick says.
Businesses can't protect assets they don't know about, which is why experts agree asset inventory is a critical step for any patch management program. It was important before the pandemic; now, taking inventory is even more challenging -- especially for large corporations.
"That is probably the hardest thing," says BitSight's Boyer. "When we find issues ... it's almost always on an asset that they didn't know about, that they had neglected, that was outside their asset inventory and outside their patch management program." It's "a constant struggle," he says, and a lot of organizations don't know their full attack surface because they lack asset inventory.
Now, as more people are working remotely, taking inventory means accounting not only for on-premises machine but mobile and Internet of Things devices that may be connected to the cloud. Shadow IT is a real challenge here, Boyer notes, as people use new devices when they work from home.
"They have to fundamentally believe they're missing things," says Trend Micro's Childs. "As a systems administrator, especially in a remote scenario, I have to believe I'm missing devices and systems that should be patched." Admins should also assume the patches will break something, Childs adds. This mindset encourages IT and security teams to assume a breach and start "pre-prepping" the response process.
Attackers weaponize vulnerabilities within days or weeks of disclosure, says Melick, giving businesses a limited window to patch. As more people can report CVEs, the amount of flaws may be too high for businesses to keep up: between 2005 and 2016, 6,100 vulnerabilities were published each year; that number jumped to 18,000 per year from 2017 to 2020, the Cyentia Institute reports. Earlier this month, software vendors collectively pushed more than 560 vulnerability fixes in a single day.
When you can't patch them all, Melick advises prioritizing zero-day vulnerabilities. "Patching within 24 hours ensures that corporations are minimizing their attack surface, especially as we're spread out so much," he explains. Known flaws being exploited should be top of the list. Boyer seconds the sentiment: "Focus on the ones that matter and are really a risk," he says.
In today's climate, Childs recommends focusing on systems that enable remote employees. "If I were on the front lines, I would prioritize first the infrastructure keeping my remote workers working, look at the infrastructure, and then boil it down to the clients," he says. Admins should learn what these core resources are, make sure they're documented, and see when they get patched, as different vendors release patches on different schedules. Check and see which blog, email update, or Twitter feed you should subscribe to in order to learn yours.
"One of the challenges we have is there is no one place for someone to go find that information out," says Clay. "As an industry we'll have to get better about building mechanisms to alert organizations when a specific vulnerability has an active exploit."
Many organizations, especially small and midsize businesses with fewer resources, rely on automatic updates to patch. "Which is great if you have automatic updates, but not all your devices do," Trend Micro's Childs points out. If you can enable automatic updates, and step back and let the system work itself out, it's one less thing for the admin to manually do. This depends on the system and the vendor, he adds.
Given the short time frame in which vulnerabilities can be weaponized, BitSight's Boyer advises building an automatable patching program. More mature programs, which typically have more people and resources, have a better chance of resolving flaws before attackers can take advantage.
"Attackers are going to be opportunistic," he explains. "As soon as the vulnerability is out there, if it's going to have an exploit, it's going to come out pretty quickly." For those who can use it, automation can help cut down on patching time.
Distributing patch management duties across teams can help accelerate deployments. "How you structure yourself makes a difference," Boyer says. Some global organizations spread out the responsibilities across different subsidiaries and business units. The cloud team may handle patching in its own way, for example, while the business division focuses on a different set of applications and an on-premises team handles patching for on-premises systems.
"Locally owned responsibility may make them better aware of the unique aspects of that group as opposed to having different responsibilities," he explains. In one company, splitting the load resulted in cutting patching time by a month and reducing the amount of "vulnerability debt."
The decision of how to handle this depends on company size and infrastructure. Some businesses operate better with a centralized model, where they can hold everyone to the same standard; others work better with the distributed approach.
Trend Micro's Clay anticipates the patch cycle will increase significantly. Companies used to receiving patches on a monthly schedule will start to see them on a weekly or daily basis.
"The reality is that with the number of exploits being developed and exploit kits growing, the requirement to patch more often is going to increase," he predicts. Businesses are moving to DevOps processes for software, a shift that may involve hourly code updates for customers. Trend Micro is making this transition and updating code hourly for SaaS users, Clay adds.
Moving forward, beyond the pandemic, Clay expects businesses will realize they can function with remote employees and enable more permanent work-from-home policies. As a result, they'll have to figure out how to patch their remote systems on a regular basis and who will be responsible. Will IT handle patching? Will the end user do it? Will a vendor be responsible?
"The reality of the threats just does not match that once-a-month patch cycle moving forward," says Trend Micro's Childs. This is especially relevant as businesses alter their infrastructure to handle ad hoc patches that roll out throughout the month, such as those recently released by Autodesk.
In the future, organizations may turn to a managed service model so they can outsource updates for infrastructure and applications as much as possible, Childs says. This would ensure companies are notified when patches are available -- "it's not going to be the second Tuesday of the month, for most of these devices" -- and help fix things when a patch goes wrong.
As more employees work from home permanently, Clay anticipates businesses will begin to issue policies instructing them how to configure their home routers. Trend Micro has already begun to see attacks targeting home routers, he says, and most people don't understand them.
"We're blown away by what the attack surface has become," says BitSight's Boyer.
In the future, organizations may turn to a managed service model so they can outsource updates for infrastructure and applications as much as possible, Childs says. This would ensure companies are notified when patches are available -- "it's not going to be the second Tuesday of the month, for most of these devices" -- and help fix things when a patch goes wrong.
As more employees work from home permanently, Clay anticipates businesses will begin to issue policies instructing them how to configure their home routers. Trend Micro has already begun to see attacks targeting home routers, he says, and most people don't understand them.
"We're blown away by what the attack surface has become," says BitSight's Boyer.
Patch management has historically been a challenge for IT and security teams, which are under pressure to create strong programs and deploy fixes as they're released. Now their challenges are intensified as a global shift to remote work forces companies to rethink patching strategies.
"It's a massive challenge all of a sudden," says Stephen Boyer, co-founder and CTO at BitSight. Businesses accustomed to protecting 2,000 employees across three to four offices now have to secure the same workers in 2,000 home offices. People are working on personal devices, with home routers they don't properly configure, on networks the corporation cannot manage.
Data shows home networks pose a higher security risk than enterprise networks, he continues. BitSight research shows 45% of remote office networks have observed malware, compared with 13% of corporate networks. And more industries are enforcing work-from-home policies: 84% of traffic in the US education sector shifted off-network during the fourth week of March, data shows, along with 63% of government/policies sector traffic and 35% of finance sector traffic.
"People are working on networks that aren't managed and controlled by the corporation anymore," Boyer explains. Those who do have corporate devices use them in workspaces that are "drastically different" than the environments inside a corporation. The change has been a jolt to IT and security teams, which didn't expect this level of remote work for several years and now face unprecedented challenges in buying, configuring, deploying, and patching machines.
The process of buying assets is typically a long one that is researched, vetted, planned, and executed, says Richard Melick, senior technical product manager at Automox. Laptops and desktops would arrive, and then be configured and deployed. "We skip all that now," he says. "Now it's, 'Get them a laptop so they can get back to work.'" This need to continue working remotely has created a technologically diverse environment that most IT and security pros are not used to, and the need for different configurations on different endpoints puts new pressure on teams.
"You don't necessarily have as much control as you used to," says Jon Clay, director of global threat communications at Trend Micro. The proliferation of devices across thousands of home offices has exacerbated existing patch management challenges and created new ones. Some traditional patching advice still applies in these times, and some tips are even more important.
Here, experts in vulnerability and patch management share their advice for IT and security pros struggling to patch properly throughout the pandemic. Read on to learn their tips, and feel free to share your own in the Comments section.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024