If you can’t patch perfectly, patch programmatically
In every quarterly security report we’ve ever released, we consistently find that threat actors primarily exploit old vulnerabilities, often fixed months, if not years, prior. The prevalence of zero-day exploits [malware for which no signature is available] pales in comparison to these well-known, outdated vulnerabilities. This reality underscores our repeated advice: regularly and swiftly patch your software to yield significant returns on your security work investment.
You already know this. However, real-world business constraints can hinder organizations from keeping up with patches. For example, some may need to rely on outdated applications that function only on end-of-life operating systems. While this isn’t ideal, finding a replacement may take time. Similarly, small teams may struggle to manage extensive infrastructures.
Regardless of the challenge, it’s crucial to prioritize quickly patching the most critical vulnerabilities. What should you do if perfect patching isn’t feasible? Implement a structured patching policy with clearly defined SLAs that prioritize critical vulnerabilities. If you can’t address every patch, ensure that you focus on the important ones first. While this concept is foundational, lacking a formal patch policy with SLAs and severity definitions tailored to your organization’s risk assessment necessitates immediate action.
At a high level, prioritize swift patch SLAs for software flaws with the highest criticalities. For instance, address high and critical patches within 30 days, while allowing 90 to 180 days for medium and low severity. Consider exposure as a key factor; if a software service is exposed externally, your patch SLA should be much faster, whereas internal low-risk vulnerabilities might warrant a longer wait.
In conclusion, strive to patch everything possible as quickly as you can. If that’s unachievable, take the time to develop a risk-based policy. Employ automated patching and monitoring tools to ensure you meet your SLAs effectively.
If you would like more insights and defense tips on protecting your network from today’s malicious threats, see the Q4 2024 edition of our Internet Security Report. Follow this link to discover the many benefits of WatchGuard’s Patch Management solution.
