Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Stop threats with comprehensive, set-it-and-forget-it protection
Bridge threat protection and cyber risk management
Stop breaches before they happen
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Security for cloud file/object storage services leveraging cloud-native application architectures
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
Learn about solutions for ICS / OT security.
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Keep ahead of the latest threats and protect your critical data with ongoing threat prevention and analysis
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
Add market-leading security to your cloud service offerings – no matter which platform you use
Increase revenue with industry-leading security
Discover the possibilities
We work with the best to help you optimize performance and value
Understanding ChatGPT's potential for misuse via malware creation
Learn more >
How threat actors leverage file-sharing to harvest credentials
Learn more >
Understanding how stolen data is acquired and sold
Protect your organization >
Content has been added to your Folio
Risk Management
With thousands of applications to manage, enterprises need an effective way to prioritize software security patches. That calls for a contextualized, risk-based approach and good overall attack surface risk management.
By: Jon Clay Read time: ( words)
Save to Folio
Inundated with monthly, weekly, and even daily software patches, IT teams need a strategic approach to security patch management—one that lets them put risks into context, prioritize effectively, and manage their overall attack surface risk.
Enterprises today have a massive amount of software to manage and keep up to date—1,061 applications on average, according to the MuleSoft Research 2023 Connectivity Benchmark Report. At that scale, with many software vendors issuing security patches monthly, weekly, and sometimes even daily, IT teams need a strategic way to prioritize what to patch and when.
The first step is to establish a proper cybersecurity audit routine that provides a complete picture of the enterprise IT ecosystem—all devices and the software they run. With that in place, the next must-have is a contextualized, risk-based approach to assess which patches are needed most urgently and which can wait, in line with the organization’s overall attack surface risk management framework.
A constant flood of patches
Apart from the sheer volume of potential patches to apply, IT teams need to factor the time and effort each security patch requires. Many involve machine downtime, which affects the availability of IT assets and can hamper employee productivity. Knowing which patches are essential and which can wait is a practical necessity.
Traditionally, deciding which patches to apply has been based on the severity of the associated vulnerability, with each vulnerability assigned a ‘criticality value’ from zero to 10. It’s an undeniably objective technique, but also imprecise.
Some vulnerabilities may be highly critical—rating 9.8 on the scale, for example—and yet have low probability of being exploited because the attacks are too costly or complex to execute. Meanwhile, less severe attack types may already be active in the wild and pose real threats. Going by criticality rankings is like preparing a city to fight off an imaginary monster like Godzilla while ignoring legitimate and urgent risks such as floods and wildfires.
In making decisions about which security patches to apply, context is what organizations need most of all.
How to decide which security patch is a priority?
The full set of contextual factors that matter will be different for every organization, but there are common questions that can help evaluate the true risk a vulnerability represents. Some key ones include:
Continue reading the Ransomware Spotlight series:
Combining these with other considerations unique to the enterprise and its business provides a more substantial, strategic, and nuanced risk score to guide patching decisions. Obviously, the answers aren’t found solely in the technical nature of the vulnerability itself. A broader understanding of the attack surface and threat environment is needed, which can be provided by combining current threat intelligence with AI and machine learning-based analytics.
Zero-day vulnerabilities are a growing risk
The importance of patching and keeping software up to date is not news: IT experts and analysts have been repeating the message for years. But changes in the threat landscape have shifted the types of vulnerabilities organizations need to focus on.
A known vulnerability that already has a security patch is classified as an ‘N-day vulnerability’, with N being the number of days the patch has been available publicly. Most organizations have become quite good at addressing N-day vulnerabilities. As a result, cybercriminals are concentrating more heavily on zero-day attacks.
Zero-day attacks target vulnerabilities for which no public security patch exists. Since these threats can still shift and evolve, they’re both more dangerous and more difficult to defend against—organizations could have a highly exploitable bug in their network without realizing it. Zero-day threats also tend to be more expensive for cybercriminals to mount.
In August 2022, Tech Monitor reported that an Apple zero-day vulnerability was on the market for 8 million euros. The package included a 12-month warranty in case the flaw gets patched, and a cloud-based code injection. Despite eye-watering costs, ransomware perpetrators and other bad actors are making enough money from their exploits that they can afford zero-day attacks fairly easily.
Forever-day attacks are another concern
The lack of a publicly available patch puts enterprises at a disadvantage with zero-day vulnerabilities. The same is true for ‘forever day’ vulnerabilities—exploitable weaknesses that will never be patched by the vendor. These arise when the software or operating systems involved are no longer supported by the developer, or when the underlying hardware has a short, intended service lifecycle and so—in theory—shouldn’t need patching, as can be the case with some internet of things (IoT) devices.
There are also situations, for example with certain medical and manufacturing devices, when the product makers prohibit software patches being applied by anyone but themselves to preserve device integrity. Some even go so far as to make it a term of sale that if a customer tries to apply a security patch themselves, they could invalidate their warranty.
The capability to consistently monitor for suspicious activity inside of networks is essential, especially with a solution that can leverage the latest global threat intelligence. But there are other ways an organization can mitigate the risk of zero-day and forever-day vulnerabilities.
Virtual patching is a good alternative
One convenient option is to resort to virtual patching. Virtual patches are developed and published by reputable providers often months ahead of public patches and can be applied without the need for a device reboot in many cases.
Virtual patches are usually flexible and can be turned off at a later point if a public patch comes out. While they can’t be applied in every circumstance, sometimes the network around the device that’s running vulnerable software can take a virtual patch, providing a layer of defense, especially when the device cannot support a security agent either.
Operational technologies (OT) are a prime case for virtual patching. Some OT systems have gone untouched and unsupported for upwards of 20 years, and Gartner predicts that by 2025 more threat actors will home in on these vulnerable legacy assets. Network-based virtual patches can help defend these increasingly common attack vectors.
Always consider cybersecurity risk in context
The key to sophisticated security patch management is leaving behind simplistic criticality scoring and instead evaluating risk in the context of business needs and the real-world threat environment. This supports better decision-making about which security patches need to be applied immediately.
As organizations migrate more to software-as-a-service (SaaS) consumption models for their applications, the burden of keeping pace with patching will diminish. SaaS vendors handle the whole process: when a vulnerability is found, it gets patched in the cloud and applied automatically to all users, sparing the customer organization any effort.
Still, sometimes even a good patch can temporarily take a system down and this could present a crisis for businesses that operate on a 24/7 basis. Organizations should consult their vendors about the possibility of rollbacks to previous versions of software. This could be a make-or-break consideration during a situation like the 2021 SolarWinds breach, when infected updates were unknowingly rolled out.
In the meantime, tools are becoming available to enable sophisticated risk-based decision-making about software vulnerabilities and security patches—contributing to more strategic and proactive enterprise attack surface risk management overall.
Jon Clay
VP, Threat Intelligence
Try our services free for 30 days
Select a country / region
Privacy | Legal | Accessibility | Site map
Copyright ©2023 Trend Micro Incorporated. All rights reserved