The big myth about security patch management

“If we had just kept our systems patched, the malware wouldn’t have been a problem.” After every major breach you usually hear those words echoed across news media. You might even pause for a moment and tell yourself that if the victims had just patched their systems, they would have been protected. For years, security experts have recommended keeping systems up-to-date as a first line of defense. After all, it’s a common-sense approach since most breaches exploit known vulnerabilities where patches are already available and have been for a while. And on the surface, it would seem a simple fix to patch your systems with the latest software updates.

Top cybersecurity issues with patching

But the truth is, effective security patch management for your network may not be that easy. Why? Let’s take a closer look at the key reasons.

• Too many systems – If you are like most IT managers, you’re overworked and super busy. You may be managing thousands of computers that need periodic updates and, in some cases, may not even know all the systems in your environment. Managing updates on so many different pieces of software, on so many systems, can be overwhelming and effective updates may slip through the cracks.
• Legacy systems – Your organization may use older, custom written applications. These may have not been updated, or cannot be updated, because the software they’re based upon is no longer supported. But the outdated software continues to be used for the simple reason it gets the job done.
• Patches must be tested – You usually have to test any patches to make sure they work properly and don’t cause additional damage. Then they usually have to pass your Production Change Control Board. You also have to implement them during an upcoming Green Zone (2:00am on a Saturday, anyone?). This can strain your limited resources.
• Embedded systems – Your computers may be part of other systems that do specific tasks, like a machine controller, a shipping system, or other tools that keep your organization running. Many of these are mission critical, so they run 24 hours per day, and are very hard to update. Plus, you may find outdated Windows XP running on these systems.
• New vulnerabilities – Patches are only developed for known vulnerabilities, and once these day zero vulnerabilities are found, it can take time to develop and distribute the patch. But newer (or undiscovered) malware will slip right through the latest patch.
• Users – User behavior can often be the source of malware and data loss. Even with security training, members of your organization may be tricked into giving away information, have their password stolen, or mistakenly share information. And, unfortunately, some may even have bad intentions. In these cases, patching will not protect you.

How to stay cybersecure

So the myth is busted. Even if it were possible for you to patch in a timely fashion, malware would still be a problem. And, as we saw in the cases above, patching doesn’t always work. To keep your organization secure, you need to detect and stop malware in other ways. But while there are many reasons that patching is not a panacea, you still need to patch to the best of your ability. Why? Because it’s still a key part of a holistic and effective security posture.

To keep your organization cybersecure, you should develop an architectural approach that leverages risk-based decisions for your organization. This includes determining:

• What is most important to your organization?
• What data is most critical?
• What is your budget?

You also need to patch and protect against other ways malware can enter your environment. You may even want to use a best practice to make sure you cover all your bases. If so, we’d suggest the NIST Cybersecurity Framework (CSF) as a starting point.

 By Peter Romness

Published with permission from blogs.cisco.com