Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Virtual Patching as Part of a Patch Management Strategy

Posted by Netta Schmeidler on January 24, 2019
Find me on:

patch management strategy

Industry best practices demand patching software vulnerabilities as soon as a patch is released, in order to shorten the time period in which the organization is at risk. But industry surveys show that IT organizations are overburdened with patches, and many IT administrators admit they simply can’t keep up. The result? A recent Ponemon study found that nearly 60% of data breaches were caused by exploiting a software vulnerability that was known, but which the victim organization had not yet patched.

Patch Management

Patch management strategy is the process of acquiring, testing, and installing updated software. Unfortunately, many organizations find themselves adhering less than strictly to their patch schedule. The reasons are numerous:

Quantity

The sheer number of patches released across an organization’s typical software stack is overwhelming. For example, consider the number of released security patches in 2015 for just a sample of installed applications:

  • Windows 7: 120

  • Adobe flash: 13

  • Internet Explorer: 13

If we look at 2015 as a representative year, and a set of patches for a subset of the standard software stack on endpoint golden images, we see that in a year, an organization would need to patch 146 times, an average of a patch every 2.5 days. This is simply unfeasible.

Cost

Time is money, and patching takes time. You also have the costs of system downtime and productivity loss, which can turn into more than just install and reboot time. Microsoft Azure and Office 365 users worldwide were locked out of their accounts after an update that affected the multi-factor authentication service. And who can forget the patching mess as vendors rushed out unstable fixes after the Meltdown/Spectre bombshell? 

Organizational LAN

You can only patch systems that are inside the VPN, and not busily working at the time of the patching process. This means that your most vulnerable machines, ones belonging to employees that travel frequently, and that use dubious WiFi connections in coffee shops, will not be patched often, in the best of cases.

Scale

Manual patching does not scale. Automatic patching requires you to review each patch carefully and assess its impact on your business, prior to deployment.

Enter Virtual Patching

The term virtual patching was originally coined a number of years ago by Intrusion Prevention System (IPS) vendors. It is the process of addressing a security vulnerability by blocking attack vectors that could exploit it. Various technologies can be used to shield vulnerabilities before they can be exploited. An organization can therefore be protected without incurring the cost and the operational pain of downtime for emergency patching, patching cycles and, of course, the added cost of breaches in an unpatched system.

Network-Level Virtual Patching

Some vendors believe virtual patching can be implemented only by network solutions that perform packet inspection and matching to the database of known vulnerabilities. This is a reasonable approach if attacks exploiting vulnerabilities had a single, known manifestation – but they don’t. Additional problems with this approach are the performance hit associated with analyzing network packets and comparing them to a large number of signatures, and the resulting slowing of the network.

Vulnerability Scanning

Other vendors use a combination of detection with vulnerability scanning. While this may work for known vulnerabilities, it leaves a gap in protection from the time a zero-day is discovered until the solution is updated to include it. And it does not help during the pre-discovery period – which can be months or years – at all.

Morphisec Virtual Patching

Morphisec’s software covers endpoint vulnerabilities exposed by gaps in its clients’ patching cycle and shifts the security paradigm with proactive, early prevention. Our patented Moving Target Defense technology dismantles the attack pathways so unpatched vulnerabilities cannot be exploited. Customers can reduce risk while lengthening their patching cycles, helping their overtaxed IT departments, and reducing patching costs by simply applying this patch management strategy.

 New Call-to-action