Failing to patch vulnerabilities keeps biting CISOs.The most recent evidence: Last month, the Five Eyes cybersecurity agencies in the US, the UK, Australia, Canada, and New Zealand reported that the top 15 vulnerabilities routinely exploited last year included one that dated back to 2020 (a Microsoft Netlogon hole); one that dated back to 2021 (in the Log4j2 open source logging framework) and one that dated to 2022 (a hole affecting multiple products using Zoho ManageEngine).Outside the top 15 list are regularly unpatched aging vulnerabilities, including one that dates back to 2017 in devices running Cisco Systems’ IOS and IOS EX software.To meet this challenge, on-prem or cloud-based automated or autonomous firmware and software patch management applications should be part of a CISO’s toolkit, experts say.There are plenty to choose from. A wide number of IT operations management and security vendors offer patch management solutions, including ManageEngine, Heimdal, ConnectWise, Atera, Action1, NinjaOne, SecPod SanerNow, SolarWinds, Automox, Kaseya VSA and Pulseway.The latest, which launched this week, is Tenable Patch Management. Tenable says the solution, which includes automatic patch testing to block problematic updates from being installed, shortens the time from discovery of a vulnerability to remediation.However, CISOs are still cautious about adopting autonomous solutions. According to a recent Forrester Research survey, only 27% of 510 security decision-makers said their organization currently uses a patch management solution. Another 30% said they are willing to buy such a solution.Why the reticence? “Fear of breaking something” if an untested patch is installed, said Erik Nost, a Forrester senior analyst.However, experts warn infosec leaders against relying solely on automation for the collection and deployment of updates. “I don’t fully buy into 100% reliance on any single patch management capability,” said Fritz Jean-Louis, a cybersecurity advisor at Info-Tech Research, “because if you do so, you do it at your own risk. Now you’re relying on a single point of failure that can be catastrophic to your organization. That is not good risk management. You want to have some level of automation, because as CISOs we’re struggling with a workforce gap “¦ but it will be up to individual organizations to decide how much automation is sufficient.”He added, “my recommendation is for those less critical applications, allow full automation. But for critical applications I know could bring down my entire organization, I would want to review them as part of my change management process.”Forrester’s Nost agreed, suggesting a “crawl, walk, run” strategy. “There are ways of automating beyond just installing the patch. You can automate vulnerability assessment and prioritization. You can automate ticket creation” and other steps before going to full automation.A patch management solution, he added, has to fit within an organization’s patch management strategy, which includes deciding which applications need to patched first.Whatever autonomous solution the CIO/CISO chooses, Nost added, it should allow a patch to be initially deployed to a test group of systems for stability feedback before full deployment.The crash of millions of Windows PCs around the world in July 2024 following the release of a faulty CrowdStrike sensor update is an argument that autonomous patching systems can’t include critical applications. CrowdStrike admitted a problem in its testing of a content update was at fault.Analysts CSO spoke to differed on whether current autonomous patching applications could have caught that flaw. And Jean-Louis of Info-Tech Research noted that many infosec leaders would in any case have trusted an update coming from CrowdStrike.”Setting up a finely controlled patching process with an automated patching solution will avoid an issue similar to the CrowdStrike outage,” Michelle Abraham, research director for security and trust at IDC, said in an email, “because once the first subset of machines has problems with the patch, the process is halted until the issues are resolved.”When choosing a patch management solution, infosec leaders should define their use cases (for example, do you need a solution that works with multiple operating systems); define their criteria for the product (what’s important: cost, ease of use, does it offer patch scheduling, learning curve, does it comply with regulations you need to follow, do you want a cloud-based solution, does the solution look after virtual machines and containers); and check with peers about their experience with the solution.However, Ray Komar, Tenable’s vice-president of cloud and technology alliances, noted, the actual decision on a product may be made by the IT group; the CISO or infosec leader may only have input into the decision.The decision maker should look for a solution that can be based around the IT department’s patch policies, he said in an interview.The solution should be autonomous, he added, not automatic. “Autonomous means you set it up, apply the level of controls you feel is appropriate. The machine does the work, but within it you can engineer human checkpoints as part of your patching strategy, an approval, a dependency or something else. You want to be ensure that you, or a business group, have the ability to kill [a patch].”Automated patch management is not essential, said Frank Dickson, group vice-president of IDC’s, security and trust research unit. But, he added, it is a best practice. “The scale of vulnerabilities is just too big. Validating every patch on low severity vulnerabilities on non-critical systems is impractical. Patching is still important. Most organizations are good at protecting critical systems and the ‘crown jewels.’ However, less critical systems can still be gateways for a breach.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3618463/cisos-still-cautious-about-adopting-autonomous-patch-management-solutions.html
