Amid staffing shortages and limited budgets, organizations and government agencies are struggling to strike a balance between enhancing productivity and ensuring proper cyber hygiene, making it difficult to effectively defend against cyber threats.

Twitter is just the latest example of this – the whistleblower complaint filed by the company’s former security boss demonstrates that the company may prioritize feature functionality over strong cybersecurity (i.e., measuring key risk indicators, delivering secure code, maintaining secure devices).

Meanwhile, attacks are increasingly overwhelming in boldness, sophistication and volume. Even well-staffed, well-funded IT and security teams are effectively grasping at straws – unless they have a risk-based patch management solution in place.

RBPM means narrowing down active threat mitigation efforts and patching to the highest priority threats. These priorities are determined based on both external threat context and the internal security environment of an individual federal organization.

Patching is not nearly as simple as it sounds, and government security teams often don’t get around to it amidst other pressing demands. In a recent survey by Ivanti, 71% of IT and security professionals reported that they found patching to be both time-consuming and complicated. An RBPM program – especially one enhanced by certain best practices – can reduce risk without increasing workload.

Here are five of those best practices:

Start with asset discovery

You can’t protect what you can’t see. A team can be working around the clock to create patches for specific threats and specific assets and still miss the boat if they’re not aware what they actually need to be patching. That’s wasted effort – and a huge point of vulnerability. That’s why any RBPM program must start with asset discovery.

What assets are on your network? Which end user profiles use those assets? In the pre-pandemic era, asset management was more straightforward: what and who are behind our perimeter, in our office? In the modern everywhere workplace, assets and end users are dispersed. That calls for a modern approach to asset management – one that can discover, map, secure, and service any asset, anywhere – even when they’re offline.

Once you know what you need to protect, you can start protecting it.

Get everyone on the same page

Despite best intentions, IT operations and security teams are often working in conflict – simply by the nature of their roles and areas of focus. RBPM creates a bridge between these organizations, demanding that external threats and internal security environments are considered in tandem.

In order for these organizations to work together, they must all have the same information as well as mutually acknowledged risk analysis. When everyone is on the same page, security can stop treating everything as an urgent risk and can prioritize the most critical vulnerabilities. IT operations can stop feeling like they’re drinking from a firehose and make time for the right patches at the right time.

Leverage an SLA for patch management

You already know that security and IT operations need to work together to create and execute an effective RBPM solution. Of course, it’s one thing to know they need to work together – and quite another to ensure they are enabled, empowered, and motivated to do so.

A service-level agreement (SLA) for patch management between the security and IT operations teams can eliminate back-and-forth and standardize processes for patch management. It should lay out department-level goals and enterprise-wide goals for patch management, establish best practices and processes, and identify maintenance windows that are acceptable for all parties.

Leverage pilot groups for patching

Done right, a RBPM strategy allows IT operations and security teams to work fast, identifying critical vulnerabilities in real-time and working to patch them as soon as possible. Speed is of utmost importance – so long as it doesn’t cause excess collateral damage. A hasty patch runs the risk of crashing mission-critical software or creating other unwanted problems.

The solution: leverage pilot groups featuring key stakeholders who can test vulnerability patches in a live environment prior to full rollout. Optimally, these stakeholders would reflect the device configurations and user roles that will be impacted by a piloted patch. Live environments provide a more accurate assessment than any lab can replicate, and we’re not at the point of being able to perfectly identify potential downstream impacts of patches. If the pilot group identifies a catastrophic error, it can be remedied with minimal enterprise impact. It’s important to predetermine and pretrain pilot groups so this process doesn’t substantially inhibit patch progress.

Embrace automation

The point of RBPM is to mitigate vulnerabilities efficiently and effectively while alleviating the burden on your staff – particularly as IT faces an unprecedented worker shortage. However, it’s still a heavy lift when done manually. Automation can dramatically accelerate the speed and accuracy of a RBPM program, collecting, contextualizing, and prioritizing vulnerabilities around the clock, far faster than even the most talented team could manage.

Automation can also segment a patch rollout to test for efficacy and downstream impacts as well, supplementing the work of the pilot groups mentioned above.

The ability to automatically identify, prioritize, and even address vulnerabilities without excess manual intervention is a critical advantage in today’s cybersecurity landscape. That’s why it’s so concerning that, according to Twitter’s former head of security, around 30% of the company’s laptops had automatic software updates blocked. This, along with other security failures, resulted in Twitter suffering more than 50 incidents in the past year.

As a RBPM solution is dependent on the nuances of a particular organization or federal agency, there isn’t a one-size-fits-all RBPM strategy. These best practices, however, can inform any RBPM program – and make all the difference in the world.

Srinivas Mukkamala is Senior Vice President, Security Products at Ivanti. Prior to Ivanti he was a Co-Founder and CEO of RiskSense, a risk-based vulnerability management company, and was part of a think tank that collaborated with the U.S. Department of Defense and U.S. Intelligence Community on applying these concepts to cybersecurity problems.

In Other News
Load More