Industry best practices demand patching software vulnerabilities as soon as a patch is released, in order to shorten the time period in which the organization is at risk. But industry surveys show that IT organizations are overburdened with patches, and many IT administrators admit they simply can’t keep up. The result? A recent Ponemon study found that nearly 60% of data breaches were caused by exploiting a software vulnerability that was known, but which the victim organization had not yet patched.
Patch management is the process of acquiring, testing and installing updated software. Unfortunately, many organizations find themselves adhering less than strictly to their patch schedule. The reasons are numerous:
The sheer number of patches released across an organization’s typical software stack is overwhelming. For example, consider the number of released security patches in 2015 for just a sample of installed applications:
Windows 7: 120
Adobe flash: 13
Internet Explorer: 13
If we look at 2015 as a representative year, and a set of patches for a subset of the standard software stack on endpoint golden images, we see that in a year, an organization would need to patch 146 times, an average of a patch every 2.5 days. This is simply unfeasible.
Time is money, and patching takes time. You also have the costs of system downtime and productivity loss, which can turn into more than just install and reboot time. Microsoft Azure and Office 365 users worldwide were locked out of their accounts after an update that affected the multi-factor authentication service. And who can forget the patching mess as vendors rushed out unstable fixes after the Meltdown/Spectre bombshell.
You can only patch systems that are inside the VPN, and not busily working at the time of the patching process. This means that your most vulnerable machines, ones belonging to employees that travel frequently, and that use dubious WiFi connections in coffee shops, will not be patched often, in the best of cases.
Manual patching does not scale. Automatic patching requires you to review each patch carefully and assess its impact on your business, prior to deployment.
Enter Virtual Patching
The term virtual patching was originally coined a number of years ago by Intrusion Prevention System (IPS) vendors. It is the process of addressing a security vulnerability by blocking attack vectors that could exploit it. Various technologies can be used to shield vulnerabilities before they can be exploited. An organization can therefore be protected without incurring the cost and the operational pain of downtime for emergency patching, patching cycles and, of course, the added cost of breaches in an unpatched system.
Network-Level Virtual Patching
Some vendors believe virtual patching can be implemented only by network solutions that perform packet inspection and matching to the database of known vulnerabilities. This is a reasonable approach if attacks exploiting vulnerabilities had a single, known manifestation – but they don’t. Additional problems with this approach are the performance hit associated with analyzing network packets and comparing them to a large number of signatures, and the resulting slowing of the network.
Other vendors use a combination of detection with vulnerability scanning. While this may work for known vulnerabilities, it leaves a gap in protection from the time a zero-day is discovered until the solution is updated to include it. And it does not help during the pre-discovery period – which can be months or years – at all.
Morphisec Virtual Patching
Morphisec’s software covers endpoint vulnerabilities exposed by gaps in its clients’ patching cycle and shifts the security paradigm with proactive, early prevention. Our patented Moving Target Defense technology dismantles the attack pathways so unpatched vulnerabilities cannot be exploited. Customers can reduce risk while lengthening their patching cycles, helping their overtaxed IT departments and reducing patching costs.