How AI is helping cut the risks of breaches with patch management

When it comes to patching endpoints, systems and sensors across an enterprise, complacency kills.

For many IT and security teams, it’s a slow burn of months of seven-day weeks trying to recover from a breach that could have been avoided.

For CISOs and CIOs, it’s a credibility hit to their careers for allowing a breach on their watch that could have been avoided. And for the board and the CEO, there’s the accountability they have to own for a breach, especially if they’re a publicly traded U.S. company.

Attackers’ arsenals are getting better at finding unpatched systems

There’s a booming market on the dark web for the latest kits and tools to identify systems and endpoints that aren’t patched correctly and have long-standing Common Vulnerabilities and Exposures (CVEs).

I.P. scanners and exploit kits designed to target specific CVEs associated with widely used software across enterprises are sold on the dark web by cybercriminals. Exploit kits are constantly updated with new vulnerabilities, a key selling point to attackers looking to find systems that lack current patches to stay protected.

CYFIRMA confirms that it has found exploit kits for popular software, including Citrix ADC, Microsoft Streaming Service Proxy and PaperCut. However, its research also finds that offering patches after a major CVE breach is only somewhat effective.

Attackers continue to exploit long-known vulnerabilities in CVEs, knowing there’s a good chance that organizations that have vulnerable CVEs haven’t patched them in a year or more. A recent report finds that 76% of vulnerabilities currently being exploited by ransomware groups were first discovered between 2010 and 2019.

Unpatched systems are open gateways to devastating cyberattacks

VentureBeat has learned of small and mid-tier midwestern U.S. manufacturers having their systems hacked because security patches were never installed. One had their Accounts Payable systems hacked with attackers redirecting ACH accounts payable entries to funnel all payments to rogue, untraceable offshore accounts.

It’s not just manufacturers getting hit hard with cyberattacks that start with patches being out of date or not installed at all. On May 13, the city of Helsinki, Finland, suffered a data breach because attackers exploited an unpatched vulnerability in a remote access server.

The infamous Colonial Pipeline ransomware attack was attributed to an unpatched VPN system that also didn’t have multifactor authentication enabled. Attackers used a compromised password to gain access to the pipeline’s network through an unpatched system.

Nation-state attackers have the extra motivation of keeping “low and slow” attacks undiscoverable so they can achieve their espionage goals, including spying on senior executives’ emails as Russian attackers did inside Microsoft, stealing new technologies or source code that can go on for months or years is common.

A quick first win: get IT and security on the same page with the same urgency

Ivanti’s most recent state of cybersecurity report finds that 27% of security and IT departments are not aligned on their patching strategies and 24% don’t agree on patching cycles. When security and IT are not on the same page, it makes it even more challenging for overworked IT and security teams to make patch management a priority.

Six in ten breaches are linked to unpatched vulnerabilities. The majority of IT leaders responding to a Ponemon Institute survey, 60%, say that one or more of the breaches potentially occurred because a patch was available for a known vulnerability but not applied in time.

IT and security teams put off patch management until there’s an intrusion or breach attempt. Sixty-one percent of the time, an external event triggers patch management activity in an enterprise. Being in react mode, IT teams already overwhelmed with priorities push back on other projects that may have revenue potential. Fifty-eight percent of the time, it’s an actively exploited vulnerability that again pushes IT into a reactive mode of fixing patches.  Seventy-one percent of IT and security teams say it is overly complex, cumbersome and time-consuming.

Fifty-seven percent of those same IT and cybersecurity professionals say remote work and decentralized workspaces make patch management even more challenging.

Patch management vendors fast-tracking AI/ML and risk-based management

AI/machine learning (ML)-driven patch management delivers real-time risk assessments, guiding IT and security teams to prioritize the most critical patches first.

The GigaOm Radar for Patch Management Solutions Report, courtesy of Tanium, highlights the unique strengths and weaknesses of the leading patch management providers. Its timeliness and depth of insight make it a noteworthy report. The report includes 19 different providers.

“CISOs and security leaders need to understand how all of their systems and processes impact their proactive security program,” Eric Nost, senior analyst at Forrester, told VentureBeat. “So my advice is to start with visibility – do you know your environment, the assets that are within it, the control environment, and the impact if these are jeopardized? From there, CISOs can begin to implement a comprehensive prioritization strategy – with patch management and responding to these exposures as the last step.”

“Good patch management practices in the current global environment require identifying and mitigating the root causes responsible for cyberattacks,” said GigaOm analyst Ron Williams. “Patch management also requires the proper tools, processes, and methods to minimize security risks and support the functionality of the underlying hardware or software. Patch prioritization, testing, implementation tracking, and verification are all part of robust patch management.”

Leading vendors include Automox, ConnectWise, Flexera, Ivanti, Kaseya, SecPod and Tanium…

Continue Reading: VentureBeat

By Louis Columbus