For some security professionals, patch management can be boiled down to the popular Nike slogan: Just Do It. But as anyone who has ever managed a network knows, patch management isn’t as simple as a catchy phrase. This is not to say that there aren’t plenty of cases where patches for critical vulnerabilities could be easily applied and aren’t, but there are also valid reasons why a system or software can’t be patched: Production systems that can’t be taken offline for any amount of time (e.g., in a healthcare environment). Legacy systems with dependencies that will break if a patch is applied. If the patch, itself, introduces additional vulnerabilities which require the IT team to roll back the patch level. With all of this in mind, though, many notable data breaches can be attributed to the failure to patch. Equifax, WannaCry, the UK National Health Service. All of these breaches have unpatched systems as a root cause.
The fact is, when organizations do not patch known vulnerabilities, they’re accepting risks—blatantly or tacitly. Just because a risk exists doesn’t mean it has to be mitigated at all costs,1 but it does mean that the people responsible must know or estimate and communicate the risks associated with either action or inaction. In the case of cybersecurity risks introduced because of patch management decisions, the business should be made aware that vulnerabilities in “X” system could result in “Y” being accessed remotely by an unauthorized party, data loss, denial of service, the introduction of malware, etc. Before any of this can happen, though, IT and security teams need better ways of tackling patch management. There are simply too many vulnerabilities reported and published for any organization to “just do it,” and an ad hoc or case-by-case method of handling patches will certainly result in missed critical patches, incorrectly applied patches, involuntary acceptance of unknown/unanticipated/unintentional risks, or worse.
Organizations need a better approach. As Dave Lewis, Advisory CISO at Duo Security puts it, “companies need to learn how to patch better, patch smarter, and improve patching quality and ease.” The “how to” of managing an entire patch management program is out of scope for this blog post, but one thing that can definitely help IT and security teams wrap their arms around a patch management strategy is implementing a zero trust network.
Challenges with today’s networks
Organizations’ networks are no longer the onsite, internally managed, and flat architectures of the past. The introduction of cloud and virtual environments, bring-your-own-device (BYOD), distributed networks, and more have fundamentally changed the way IT and security teams must operate. Because patch management and other cybersecurity initiatives can affect the availability and reliability of today’s dynamic, auto-scaling networks, technology teams must devise better ways to address the problem head-on.
For as long as this writer has been around the security space, practitioners have been yelling from the rooftops, “Don’t keep everything in one place!” However, accomplishing network segmentation can be a difficult, lengthy, costly process. As a result, just as with patch management, segmentation (and the newer “microsegmentation”) has been pushed aside for more-easily accomplished tasks. In truth, when using historical or legacy processes and technologies, segmentation/microsegmentation can make even the most skilled networking guru want to pull their hair out. But segmentation can be an effective way to better manage business-critical systems and any necessary updates to those systems.
Check out our recent webinar, "Zero trust Microsegmentation for Victory" with guest speaker, Chase Cunningham, Forrester Principal Analyst
Enter, zero trust
Zero trust flips traditional networking concepts on their heads. Instead of the “trust but verify” method of managing access to and on the corporate network, zero trust says that all traffic, users, applications, hosts, you name it, must be verified through a set of immutable attributes that create a “fingerprint” before being allowed to communicate. Additionally, when an app/process/user/etc. is verified, the trust granted only applies to that one connection; every time a communication is initiated on a zero trust network, the “what” trying to connect must be verified again to ensure that a threat actor hasn’t intercepted the communication, isn’t hiding inside approved controls, or hasn’t dropped malware onto the system.
So what does this have to do with patch management? In a zero trust network, all systems— servers, applications, databases, hosts, etc.—run on the principle of least privilege. Only systems/apps/etc. that require access to another system/app/etc. are automatically configured to send and receive communication from other network connections. In contrast, in a traditional network, up to 98% of the network is comprised of unused and unmanaged communication pathways. This means that both legitimate applications/services and malicious traffic can communicate over these pathways. But zero trust blocks anything unused or unnecessary, therefore reducing the scope of what can communicate. As a result, the probability of an exploit of an unpatched system is also reduced because fewer resources are talking to it.
Further, the fingerprints created for a zero trust network include product or device names, versions, and patch levels, which means that system administrators can be alerted on any patch management issues and make the best decision for the organization. For example, security teams could implement a policy that says, “If version 2.3 of Apache isn’t running 2.3.35 or 2.5.17, alert on a connection.” With that information in hand, the security team can make the decision to either segment the application until it’s fixed (which would likely only happen in extreme cases) or accept the risk of not applying the patch and explain why to the business.2
Patch management tools can obviously help organizations stay on top of what’s-happening-where throughout their diverse ecosystem of networks, but patch management tools cannot keep software from communicating if malware gets into the system before a patch has been applied or even developed. By isolating and containing critical assets in a zero trust network, organizations can identify an unpatched vulnerability before it is exploited. Furthermore, patch management can only help when a patch exists! For zero days and other unpatchable situations like those mentioned at the top of this post, organizations have to “design systems as if there’s always a zero day and the patch is never coming,” writes Adrian Sanabria, VP of Strategy and Product marketing at NopSec, in a blog post about the Apache Struts exploit. Zero trust networking accomplishes system hardening regardless of patch levels, and gives organizations a smarter way to stay on top of patches that could prevent them from becoming the next Equifax. Zero trust provides the fine-grained control of distributed network environment that security teams crave while allowing businesses to speed ahead without introducing unnecessary or unmanaged risks.
1. According to Kenna Security and Cyentia Institute, while 23% of published vulnerabilities have associated exploit code, less than 2% of published vulnerabilities have been exploited in the wild, making traditional remediation very inefficient, costly, and time-consuming.
2.It’s important to note that, per the Kenna/Cyentia “Prioritization to Prediction” report, predicting which reported CVEs will become exploits is challenging and will continue to pose problems, even in a zero trust environment. Further, some CVEs are exploited before they’re published, diminishing the effect of remediation by any means.