EXCLUSIVE WEBINAR: Microsoft Outlook Chaos Unleashed — Live Technical Analysis of new Vulnerabilities
arrow-white arrow-white Secure your spot

How Do You Prioritize What to Patch?

Posted by Kate Ulansky Aharon on September 7, 2022
Find me on:

Today, threat and vulnerability management is more critical than ever, with unpatched vulnerabilities involved in 60 percent of data breaches. Vulnerability tools of all stripes abound, yet for all their features, few offer a clear path to action. Identifying the most impactful patches is a challenge for organizations across borders and industries. According to independent cybersecurity researchers the Ponemon Institute, 57 percent of businesses don’t know which vulnerabilities pose the highest risk. Without this critical insight, patching prioritization is impossible.

Vulnerability management tools rely on a variety of sources to prioritize common vulnerabilities and exposures (CVEs). These include CVSS scores, the status of exploits, the age of exploits, and more. Tools that include these data points provide important context, but they overlook one glaring issue. If an application isn’t running, hasn’t run in the past, and/or won’t run in the future, these data points are irrelevant.


Application usage creates an attack surface composed of the application’s contents: executables, services, and libraries. An application’s contents become available in memory at run time, providing points of entry for an attacker who knows how to exploit them. (Read Why Should You Care About In-Memory Attacks?) Hardly any applications are immune. BitDefender reported 76 percent of applications have at least one vulnerability.

However, if an application doesn’t run, its components under the hood are unavailable for both benign and malicious purposes. In other words, an unused application poses almost no risk.

In fact, vulnerability reports that surface unused applications actually increase risk. How? By diverting focus from the most critical patching efforts that truly require your attention. These are the most used applications that make up your largest attack surface, one that’s unique to your organization.


Deciding What to Patch

CVEs are the gateway for some of today’s most devastating threats, including many strains of ransomware. (Read How to Resolve the Ransomware Security Gap.) While patching is the first line of defense across the board, patching the right things—rather than everything—is key to effective security.

With an overwhelming list of patches to implement, it’s impossible for most cybersecurity teams to address every vulnerability, or even every high severity vulnerability.

Invisible vulnerabilities can’t be prioritized and patched, so vulnerability visibility is fundamental to cyber hygiene. Once vulnerabilities are identified, time is of the essence. However, patch times remain glacially slow. Heimdal Security reports the average time to patch is 67 days.

The result: attackers have plenty of time to exploit unpatched weaknesses for malicious ends like stealing data, encrypting files, or denying service.


What’s at Stake?

Unfortunately, creating a patch doesn’t eliminate an application from an attacker’s list of targets. This is because on average, it takes between 60 and 150 days for a business to patch a vulnerability, leaving a potentially catastrophic gap in exposure. In fact, because patches are usually reverse engineered, it's often easier for an attacker to create an exploit after a patch is released and before it’s implemented.

Despite vulnerabilities being the top way ransomware is perpetrated, in 2019, 60 percent of breaches were due to unpatched vulnerabilities. The average cost of a security breach hovers around $4 million, which is particularly galling given most breaches could have been prevented by a patch.


Third Party Applications Require Dedicated Monitoring

Patching is required at all levels of an environment—hardware, OS, and network. But there is a particular challenge inherent in managing the vulnerabilities of the hundreds of disparate third party applications like Slack, Zoom, Python, and Docker installed across organizational endpoints.

A 2019 Okta study found nearly 10 percent of businesses have more than 200 applications installed on average, and the number of applications deployed by large firms had increased 68 percent over the prior four years. Organizations need a centralized view of third party applications to ensure the right things get patched, and the wrong things aren’t installed.

Top of mind for vulnerability assessment is the infamous “unholy trinity” of applications from which a notably high number of vulnerabilities tend to originate: Acrobat Reader, Chrome, and Java. Not only are these applications frequent sources of vulnerabilities, they are also frequently used, making them weak links in every organization’s security posture.


Threat and Vulnerability Management Requires Visibility

So how can you get the visibility you need into application usage to effectively prioritize patches? Morphisec Scout’s technology shows third party Windows applications installed in your environment, providing vulnerability visibility into hundreds of the most commonly-used applications so you can improve your IT hygiene.

Uniquely in the market, Scout prioritizes which applications to patch based on CVE severity as well as application usage. This reflects the true risk posed to your specific organization on a daily basis. Scout provides a clear path to patching priority, saving you the work of deducing risk from general data points. It facilitates a healthier security posture by eliminating risk factors such as applications that are unused, out-of-date, or out-of-policy. This lets you focus patching efforts on the applications that will make the biggest dent in your organization's exposure.

Learn more about Morphisec Scout and how it can uniquely reduce your security risk—request a demo now.