Patch management vs vulnerability management
What exactly is patch management, and why should IT pros sit up and take notice of doing it properly?
Cyber security is always going to be a number one issue for any organisation, and one of the most effective ways of protecting a business is to deploy and maintain robust patch management and vulnerability management policies.
However, there exists some confusion around the scope of each term, and it’s not unheard of for patch management and vulnerability management to be used interchangeably, despite being distinctly different processes.
Simply put, patch management is the systematic process of applying software updates to address specific flaws. Although there are commonalities, patch management is a far narrower category than vulnerability management, with the former being just one part of the latter.
Vulnerability management concerns itself more with the establishment of a framework designed to combat vulnerabilities across an organization, with patch management being one of a number of processes deployed to achieve this.
As vulnerability management is considered a much broader field than patch management, the steps needed to create an effective strategy are far more nuanced and incorporate a larger number of stakeholders.
We explain the key differences between vulnerability management and patch management below, and break down the importance of each.
What is patch management?
Patch management is the process of updating all software within a company, using the most current versions released by the manufacturer, in order to fix bugs that have been discovered after release. This includes enterprise-level products like server operating systems and database products, as well as more basic tools like Internet Explorer and Adobe Flash.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Patch management can be done manually on a machine-by-machine basis, but it's much more commonly performed using centralised management tools. This can involve dedicated patch management software, which allows IT teams to set policy-based rules for the automatic application of patches. These can be scheduled around business hours to ensure that patch application results in minimal downtime and loss of productivity.
Why is patch management important?
Unpatched systems are one of the easiest attack vectors for criminals looking to gain access to corporate networks. Hackers and security researchers are constantly discovering new vulnerabilities, and companies are constantly issuing patches to deal with them. If those patches are not applied, however, cyber criminals have an easy entry point into your networks.
Patch management also ensures that all your enterprise equipment keeps working as it should. Technology is a notoriously fickle beast, and even minor software bugs can lead to major headaches and plummeting employee productivity. Timely application of patches ensures that any potential problems can be resolved as soon as possible before the cost of downtime starts to get out of control.
Knowing when not to apply an update can be just as important for good patch management, however. New software updates can cause compatibility issues between different systems or can introduce new bugs of their own. Good patch management often involves making a judgement call on whether the security benefits of installing a potentially buggy patch outweigh the inevitable downtime.
What is vulnerability management?
Vulnerability management gives a business an overview of your security posture as a whole. It gives you a sense of which areas of your infrastructure are most at risk, which allows you to not only prioritise security remediation but also helps inform future IT investment.
There are a variety of models available for deploying vulnerability management, with a differing number of steps depending on the one you choose. However, generally they all include four main steps. First of all, there’s the scan, then assessment of risk, followed by the prioritisation of vulnerabilities, before the final step of continuous management.
Scanning / discovery
The first phase, discovery, involves assessing all assets across the breadth of your IT infrastructure, including servers, laptops, printers, screens, and backup appliances. Essentially all devices that may be connected to a corporate network count, as well as software that’s running. The discovery process must ascertain whether the developer still supports the software with security patches, and how up-to-date the software is.
This process may be arduous and lengthy, but putting in the hard work at this stage is crucial. It’s essential to ascertain a complete picture of the systems the business relies on, with unpatched hardware introducing needless gaps into the setup.
One of the tools in the CISO armoury is the use of the Common Vulnerabilities and Exposures (CVE) glossary. This is a project maintained by Mitre, funded by the US Department of Home Security, that will catalogue every vulnerability that has so far been identified, ensuring that managers have up-to-date information at their fingertips.
The scanning process will involve routing TCP/IP traffic across a corporate wide network this will enable managers to ascertain where possible weaknesses are. It’s an exhaustive process and there could be downsides insofar as that level of network traffic could lead to the slowing down of the system.
Assess
The second stage is assessing what vulnerabilities are present and what the level of risk is. The most common way of doing this is by using the Common Vulnerability Scoring System (CVSS). This assigns a numerical value to the level of risk for all vulnerabilities that have been assessed.
The CVSS score will look at three areas in particular:
- Base metrics for qualities intrinsic to a vulnerability
- Temporal metrics for characteristics that evolve over the lifetime of vulnerability
- Environmental metrics for vulnerabilities that depend on the way that a system has been implemented
All of these groups will be given a numerical score: these will range from 0 to 10, with 10 being the most severe. Different organisations may handle these scores in different ways: some companies will just use the base metrics while some larger organisations – or those with more complex environments – will take temporal and environmental scores into account.
The CVSS scoring system can be found on the Forum of Incident Response and Security Teams, FIRST website.
The reporting phase follows on once you’ve established a full and up-to-date understanding of the IT estate, and what hardware devices and software is connected to the corporate network. This information should be compiled into a report that can be easy to read, accessible and referenceable, detailing the systems that are most vulnerable. This assessment would be based on various criteria such as the severity of unpatched flaws, and how close the systems and applications are to sensitive data.
It's possible to do this automatically using software, with many security platforms allowing you to create reports and 'digests' based on the results of autonomous network scans. Reporting feeds into the next step, prioritisation, and some vulnerability management programmes class them as part of the same stage.
Action
Arguably the most important stage of the vulnerability management process, prioritisation is where you decide the order in which you're going to address the vulnerabilities within your network. This will be based on a number of factors, but the principal things to consider are: how long it will take to fix, how much it will cost to fix and how much risk it poses. Which factor you give the most priority to will likely depend on the individual circumstances of your business, but it's a good idea to prioritise high impact, low-effort fixes where possible.
In many cases, the likelihood of a flaw being exploited, or the potential impact if it is, will be low enough that you can judge leaving it unpatched to be an acceptable risk. Alternatively, the cost of fixing something may be so high as to make it unfeasible with your current resources. The important thing is to be able to identify these acceptable risks and to be aware of them going forward.
Once these vulnerabilities have been assessed and prioritized, there’s a need to look at how those vulnerabilities can be tackled. There are a few options.
The most obvious one is completely fixing the vulnerability so it can’t be exploited and cause damage to the system. Although this is the ideal way forward, it's not always achievable, and so you may need to rely on more creative methods. For example, greater use of segmentation to make sure that those vulnerable areas are more easily isolated. There could also be greater use of measures such as two-factor authentication and encryption to protect any data.
Other measures may be more costly or time-consuming, however, such as creating a patch for your own application or replacing a device that is no longer supported by the manufacturer.
You can also take the decision to mitigate an issue by partly addressing the problems or, as mentioned above, by accepting the risks posed by a particular vulnerability. Once you've completed the response cycle, the process starts again with a fresh round of discovery to see what the state of your network is after your actions to secure it.
Continuous management
Organisations should lastly ensure that there’s an ongoing process of vulnerability management in place once the initial work has been done. This is not just a question of running a sweep of the system and remedying all the vulnerabilities; it’s about establishing a framework going forward that would mean patches are handled effectively, networks have been organised so that any breaches can be isolated, and that staff are fully trained – and continually monitored – to maintain strict control over a corporate-wide system. Any relaxation of this policy could prove very costly indeed.
A programme of end user training can be one of the most effective components of this continuous management. After all, according to a Verizon report, 74 % of breaches are down to poor employee behaviour. These are the people who are opening attachments from unknown sources and downloading unsafe apps. A comprehensive vulnerability management strategy will include an effective training process for employees, so that possible social engineering breaches can be minimised.
Why is vulnerability management important?
Vulnerability management is crucial because it gives you an overview of your security posture as a whole. It gives you a sense of which areas of your infrastructure are most at risk, which allows you to not only prioritise security remediation but also helps inform future IT investment.
More importantly, vulnerability management gives you insights into potential security holes beyond what you can learn from looking at a list of outstanding patches. There may be a piece of software that is known to be vulnerable, for example, but for which a patch is not yet available. In this case, looking at unapplied patches would not have alerted you to the issue.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.