TVM Patching Strategy Considerations
In this article
What is cyber risk?
A WWT Real Risk© view considers two primary elements of risk, severity and likelihood, to quantify and qualify risk for a client. Real Risk considers a wealth of variables, including an organization's architecture, technical capabilities, people, processes and more.
Vulnerabilities are often incorrectly identified as "risk" via a score for the vulnerability from the Common Vulnerability Scoring System (CVSS), ranging from 1-10. This system, developed and managed by FIRST, only considers the severity of a vulnerability. It does not consider where that vulnerability may exist architecturally within an organization, likelihood in general, or other variables like the weaponization of a vulnerability by adversaries in real-world attacks (aka in-the-wild).
Example: Applying cyber risk
A recent "Print Nightmare" vulnerability (CVE-2021-34527) is rated as a CVSS version 3.0 "8.8 HIGH". On a scale of 1-10 that makes this vulnerability a big deal — a really big deal — especially if any high-value data, critical servers or external-facing assets are at risk!
When WWT considers risk, a more complete and detailed context reveals that internal segment and air-gapped networks act as compensating controls, significantly reducing risk for any such vulnerabilities that may exist within such architecture. Furthermore, if the exploitable service for this vulnerability is not actually running in memory, this is considered effective mitigation of threat — even though it is not patched — as a vulnerable service cannot be exploited unless running in memory.
In this example, WWT Real Risk identifies this risk as a zero. That is a huge difference from those that simply rely upon the CVSS severity score for identifying risk, when it may not be a risk for some or all assets within an organization.
As seen in the example above vulnerability risk management is not "flat" or vaguely applied to an organization, especially that of a large complex global organization. The "devil is in the details" is true when it comes to identifying risk specific to each area of the business unit, architecture, assets, exposure and other considerations of true cyber risk.
What is the best patching strategy for an organization?
We regularly perform workshops and assessments of TVM programs to identify if essential elements of the TVM lifecycle are present and mature within an organization. If any element is missing the program cannot achieve maturity as all elements are "must-haves" to support the lifecycle of TVM program management. We recommend your strategy include a comprehensive evaluation of your program to identify with a WWT Real Risk Roadmap that outlines priorities, alignment and actions to be taken in the near- and long-term towards maturity.
Mature programs rely upon leadership and clearly assigned roles and responsibilities for a Threat and Vulnerability Management leader and support staff.
TVM depends upon a solid IT infrastructure, including that of a Configuration Management Database (CMDB) mapping out all devices on a network, architectures, owners, and other essential meta-data necessary for integrated operations. We frequently find larger organizations struggling with how to effectively manage the massive scale and diversity of hardware and software within an organization. This is further complicated by realities around end-of-life (EOL) succession planning, exceptions (short and long term), contractors (where you don't control their phone or device) and other elements of global business.
Organizations that simply focus on "patching" are often missing critical components of how to properly identify risk associated with each vulnerability and business unit (BU) and critical assets. Additionally, organizations that patch but do not systematically and iteratively verify or validate patching will never mature to an industry-standard best practice. There are no shortcuts to achieving TVM program maturity. If your organization is lacking areas of capability and performance, they must be shored up before the lifecycle can begin to function as it should.
What do you prioritize?
Cyber risk prioritization can only occur if data classification exists within an organization. All too often we see organizations attempting to prioritize based upon a CVSS score, which again, is only severity. CVSS does not identify where the crown jewels are within an organization or specifically what is at risk. If your organization doesn't have a data classification program in place this is an essential operation that must exist to support cyber risk management.
WWT also recommends an assessment of tools and obtaining a central "source of truth" database to integrate CMDB, data prioritization, workflow management and other components of governance, risk and compliance (aka GRC or Integrated Risk Management). Without these necessary functions, your staff will be drowning in disparate data points, inefficient Excel spreadsheets and similar solutions wasting thousands to millions of dollars in productivity every year!
What about prioritized patching?
A few key terms as we dive into the strategy of how to best navigate prioritized patching within a TVM Program:
| Zero-day | Exploitation before a vulnerability is known and assigned No patch available |
| N-Day (aka 1-day) | A "zero-day" that has a Common Vulnerabilities and Exposures (CVE) assigned; it is known and assigned The patch may or may not exist |
| Patch | Software is provided by a vendor to remediate the "bug". |
Zero-day and N-Day vulnerabilities have increased risk as there may be no patch available and/or it is coupled with real-world in-the-wild exploitation. Organizations may attempt to manage the risk, temporarily, through workarounds and compensating controls (e.g. taking a service down or offline where exposed externally). Additionally, increased visibility and vigilance around cyber threat intelligence (CTI) are also critical in managing risk during a potential emergent vulnerability crisis.
Many organizations attempt to achieve "N" state patching; patching vulnerabilities assigned with a CVE vulnerability (aka Patch to the current state). However, CVEs are NOT assigned to all vulnerabilities. There are currently thousands of vulnerabilities that exist in software that are not afforded a CVE number or patch. Organizations that only focus upon CVE-based vulnerabilities still have potentially thousands of additional vulnerabilities, with no CVE and possibly no patch, that also incur cyber risk for the organization. This is exacerbated by unauthorized software installations or devices enabled to be in a production environment where controls, budget, and processes do not exist to force compliance.
WWT strongly recommends strong risk-based policy and compliance related to prioritized patching, performing tabletops to stress test, and mature operations, for both playbooks and runbooks specific to your threatscape. Integration of TVM prioritized patching, incident response (IR), and disaster recovery (DR) teams, is also strongly encouraged as a vulnerability crisis can quickly turn into an incident or breach and can also benefit from operations by the IR team that is used to handling timely global 24x7x65 incidents.
What about patching schedules?
Most organizations have a large majority of Windows-based machines, where Microsoft manages a monthly patch cycle around "Black Tuesday." This is very different from vendors that release patches as they are developed, instead of attempting a monthly cycle.
Due to the diversity of most organizations' hardware and software, both must be considered in how TVM program needs are met. WWT recommends a monthly baseline based on the Microsoft-relative Black Tuesday date each month, with reporting and metrics coordinated to be approximately 28 days following a Black Tuesday event or the day prior to the next Black Tuesday event a month later. This enables a reasonable baseline for how to accurately interpret the status of patches, non-compliance, and other metrics essential in the lifecycle of managing vulnerabilities, BUs, partners, Service Level Agreements (SLAs), and other considerations.
Ongoing periodic patches, like that for a Linux distribution, can be rolled into a monthly program easily so that a comprehensive view of all major vulnerabilities and patching can be managed and integrated.
Another key consideration in patching schedules, combined with metrics and management, is that of patching to the current state (N-state) or not. In theory, it's a great idea to patch all known vulnerabilities as soon as they are identified and made available by vendors. However, complexities in strategy and timing are introduced when one considers how often one may need to take down physical security controls (like cameras) to patch underlying software, disabling key functionality while upgrades are in place. When considering risk for such controls organizations typically segment such controls into a location that is less exposed and delay patching to specific periods within a quarter or year to perform necessary patches, thereby minimizing downtime risk associated with no such controls each time systems are down for patching.
What else do I need to consider?
WWT regularly sees organizations with two tooling challenges, ironically at the same time:
- Tools that are compartmentalized to a specific BU that do not provide comprehensive, integrated or holistic value to meet all stages of an effective TVM Program.
- Too many tools are purchased by an organization, often organically over several years and/or mergers and acquisitions.
WWT recommends a Security Tools Rationalization Workshop to help organizations identify where they can most strategically focus tooling for ALL stages of the TVM lifecycle, save funds on programs that are no longer needed or not as effective as others, and align regarding how to best integrate operations with technology.
With holistic, effective and centralized data management and workflow operations, a TVM program has what it needs to develop true strategic key performance indicators (KPIs), supporting metrics and diagnostic metrics to manage and mature a program.