In 2017, a major American credit bureau suffered one of the largest data breaches in history. Over 150 million people had their private records exposed as a result of this breach, ultimately resulting in hundreds of millions of dollars of financial damage to the organization (not to mention an incalculable amount of reputational damage). The cause? A vulnerable instance of the Apache Struts web framework that had a critical patch released over two months prior.
While the impact of this hack is one of the most extreme in history, it is a particularly valuable story for illustrating both the need for patch management and the consequences of failing to take it seriously.
But, what exactly is patch management? In a nutshell, patch management is the process of ensuring that the software your organization relies on remains up-to-date and protected against any known vulnerabilities. This can be done either manually or (better yet) automatically, but the underlying process is often the same:
- Build and maintain an inventory of all software that is running on company resources.
- Search for any known vulnerabilities in every version of the software that is currently running.
- Identify potential patches, upgrades or other remediation methods for endpoints running vulnerable software, keeping in mind that upgrading one piece of software might require upgrading others.
- Execute the selected remediation method on identified endpoints.
Building a Software Inventory
As you can imagine, there are a number of challenges associated with building out a robust patch management solution. For one, inventorying all of the software running within an organization can be a monumental task. Not only do you have to scan and catalog what is running on every machine (virtual or otherwise), you often have to rely on an agent-based solution that requires yet another piece of software to be installed on every endpoint you want to manage if you want to do it automatically.
Thankfully, in the context of cloud computing, there are a number of different ways that you can scan for vulnerable software within your infrastructure without having to rely on a potentially vulnerable agent. One popular solution is storage scanning, which allows you to simply scan the disk storage of your cloud computing resources for software rather than scanning the resources themselves.
Uncovering Potential Vulnerabilities
Once you’ve got a list of software, software versions and all associated endpoints, you next need to identify which ones are vulnerable. In some agent-based solutions, the device can be used as the source of truth. For example, Windows Update will not only directly report which software has available updates, but also which vulnerabilities those updates will mitigate. This is a reliable method of vulnerability identification, but it can be resource-intensive in a large environment and is prone to per-endpoint errors.
Another common method for identifying known vulnerabilities is the National Vulnerability Database, a database run by the National Institute of Standards and Technology that catalogs every known software vulnerability (known as a Common Vulnerability and Exposure, or CVE). Using this database can be more difficult, as tying a software package name to the NVD’s own Common Platform Enumeration (CPE) format is a tricky process, but one that is far less error-prone once understood.
Implementing Remediation Methods and Strategies
While identifying vulnerable software might seem like the most difficult aspect of patch management, the real challenge is actually fixing those vulnerabilities. Remediating a vulnerable piece of software can happen in one of three ways: upgrade, isolate or eliminate. Upgrading should be pretty self-explanatory. You have an out-of-date piece of software that you want to make not-so-out-of-date. Easy enough, right?
Well, first you have to find an update. In some circumstances, this is managed through built-in package managers like Windows Update or Aptitude, but in others, it’s not so simple. Different application developers often use different methods for applying updates, and often the original installation method itself determines how an update should get applied. Homebrew, for example, is a common solution for installing software development packages on macOS, while Chocolatey has been used as a third-party package manager on Windows.
But what do you do if you can’t find an available update or patch? This is where you have two choices: isolate or eliminate. Isolating a piece of software can be non-trivial, but in many corporate environments, critical software has a tendency to long outlive its support cycle (or even the company that originally built it). In these circumstances, finding ways to isolate perpetually vulnerable software from the rest of your infrastructure is critical (although exactly how you might do that is beyond the scope of this article).
And if there is no way to effectively isolate a vulnerable package? Then it’s time to eliminate it. If you’re relying on automation, this could mean uninstalling it entirely, or (if you’d prefer to be a little less disruptive) it could mean simply quarantining the resource it is running on until you can find a more appropriate replacement (or manual solution).
Streamline Cloud Patch Management with Automation
It should come as no surprise that effective patch management requires automation. In our current cloud-heavy ecosystem, it is not only impractical to manually perform any of the steps listed above, but it is also effectively impossible. As with all other branches of cybersecurity, vulnerabilities are reported faster than they can be mitigated, which means that being able to respond to them in a timely manner can make the difference between being on the front page of the news or living to fight another day.