Vulcan advisors share patch management best practices

Learn from Vulcan Cyber advisors Brian Lozada, CISO at HBOMax, and Steve Zalewski, former deputy CISO of Levi Strauss, as they share their best practices for patch management.

Orani Amroussi | November 16, 2021

We recently asked Vulcan Cyber advisors Brian Lozada, CISO at HBOMax, and Steve Zalewski, former deputy CISO of Levi Strauss, to provide their thoughts on some of the challenges of patch management in an evolving cyber security landscape. Some of their comments were featured in a TechTarget SearchSecurity article titled, “6 Reasons Unpatched Software Persists in the Enterprise.” We’re sharing the rest of their thoughts – and their patch management best practices – in the blog post below. 

Responsibility must be shared

The nature of enterprise workloads and attack surfaces demands that responsibility of patch management must be shared. Good security programs have a culture of communication between teams and share an ultimate goal: mitigating and ultimately reducing risk for their organizations. 

As Steve points out:

“SecOps, DevOps and IT operations teams most often work in tandem, sharing the responsibility depending upon the system or application.  All too often they have interdependencies and the various teams must work in lockstep.”

Siloed workflows can leave organizations exposed and poorly-equipped in the event of zero-day vulnerabilities. Taking an approach of mutual responsibility when it comes to security – and addressing issues early – can have a huge impact when it comes to reducing risk. 

The reality is that security teams can only identify threats and recommend solutions, but execution depends heavily on IT teams or lines of business. 

For Steve, “while the security team can recommend or strongly encourage mitigation of vulnerabilities via patching or compensating controls, they are effectively the stewards of the business process and systems.”

Patching can’t be the only answer – and can even get in your way

Even with a clear strategy, vulnerability remediation isn’t always straightforward. Things get more complicated if you’re only looking to patch as a solution. The fact is there are remediation and mitigation alternatives like configuration changes or compensating controls. 

Patches may work for traditional infrastructure, but modern workloads depend on cloud and application environments. That shift means we need to think differently about vulnerabilities, and beyond patching.

As Brian notes, “Security patches don’t always work, often cause more problems than they solve and are labor intensive to deploy properly.”

And – considering what organizations spend on fixing vulnerabilities – the cost of inefficient remediation strategies becomes striking:

“A mid-sized enterprise spends about 430 labor hours per week fixing vulnerabilities and this number is growing based on digital infrastructure scale and complexity. That’s millions of dollars per year that can result in substantial waste if teams, processes and tools aren’t optimized.”

Not diversifying your remediation strategy to keep up with the evolving attack surfaces has other implications. Becoming fixated on increasing your patch rate can leave you frustrated by unreasonable goals. Worse, you can develop a false sense of security based on a metric that is an inadequate measure of security posture in the face of increasingly complex attacks: 

“A high patch rate is often unattainable and is essentially a vanity metric that does not indicate an improvement in security posture. Risk-based vulnerability prioritization must include asset relevance and should attempt to include an asset-based measure of risk compliance.”

 Business risk is more important than technology risk

One of the key patch management best practices, as Steve and Brian point out, is that security issues are often presented as technology issues. The problem is that this mindset fails to recognize the critical business implications that unchecked critical vulnerabilities carry. The resulting strategy of such a short-sighted approach? Excessive focus on patching vulnerabilities that are often irrelevant to your organization’s unique risk profile. 

Steve: “The more recent thinking is to understand the business risk and, based on the impact (for example to business process, revenue generation or brand management), selectively mitigate at that level, thus breaking the deadly embrace of time vs complexity of patching all systems.  This of course requires a change in thinking of how to define and measure cyber business risk.”

As security programs grow more complex, security teams must not think simply about fixing problems, but also which problems to fix in the first place. As teams adjust to the changing environment, the list of vulnerabilities only continues to grow, and managing risk through a balanced approach using the right fixes and remedies becomes all the more critical. 

Implementing these patch management best practices will not only help your team become more efficient. More importantly, it will help you mitigate and reduce cyber risk for your organization as a whole.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy