Patch Tuesday has rolled around again, but if you don’t rush to implement the feast of fixes it delivered, your security won’t be any worse off in the short term – and may improve in the future.
That’s the opinion of Craig Lawson, a Research Vice President at analyst Gartner, who on Wednesday told the firm’s Infrastructure, Operations & Cloud Strategies Conference: “Nobody has ever out-patched threat actors at scale.”
We are not in the age of industrialized vulnerability exploitation
Lawson said he has discussed patching with hyperscalers, banks, retailers, and government agencies. None told him they were able to stay on top of patching.
The analyst thinks most organizations therefore can’t understand their level of “threat debt” – a measure of technical debt focused on known but unfixed security exposures – but wrongly think accelerating patching efforts is the way to reduce it.
Lawson thinks that’s folly, because developers issue more patches than users can implement safely.
“Patches break things,” he said, or are so complex to implement that the work may not be worth it. “You can’t patch Java because there might be five other subsystems that need a patch before you patch Java.”
The effort required to determine if a patch will have unintended consequences may also be ineffectual, because his research suggests criminals exploit just 8-9 percent of vulnerabilities and most of the flaws they target aren’t rated critical – cybercrims focus on less serious problems.
“We are not in the age of industrialized vulnerability exploitation,” he said, and attackers sometimes ignore even nasty zero-days.
“State actors are reluctant to use them because it is a boomerang – use it and it will come back and hit me in the face,” the analyst added.
Futile flurry
Lawson thinks organizations try to implement all patches anyway, sometimes to meet internal metrics for speedy patching, or to ensure they meet regulatory compliance requirements.
But such practices haven’t led to a decrease in successful attacks.
“Imagine if this was a serious discipline like building bridges and someone said, ‘Hey, we have to stop bridges falling down.’ Then you spend all this extra money to make sure that doesn’t happen, and then more bridges fell down,” he said.
“You think someone would come along and say, ‘Do you even know why bridges fall down in the first place?'”
Lawson says company directors are now asking that sort of question in boardrooms, and one answer which often emerges is patches aren’t necessary because organizations have controls in place to compensate for unpatched systems.
He suggests orgs develop a “cohabitation metric” that explains how to live with unpatched systems by considering compensating controls that can ameliorate a flaw, and how patching is an extra control that organizations can apply at the appropriate time.
Lawson wants IT operations and security people to share that metric with applications teams, and anyone else with a stake in an org’s security posture, so they can jointly develop a plan on what to patch and when.
“You don’t make a population healthy by giving everyone an aspirin,” he said. “You give them individual treatment.”
Creating that tailored plan requires collaboration across an organization to identify security needs and the patches that IT pros can most easily implement and therefore put high on a to-do list, Lawson says.
And while creating that plan, don’t feel that going slow on patching is a sign of failure. “People are made to feel bad, while everyone else is killing it,” he said. “The reality is patching sucks for everyone.” ®
