You may think if your IT organization is doing patch management, you're covering the bases when it comes to good security hygiene. However, there is more at stake, and experts say it is important for IT to go a step further and implement vulnerability management.
Most vulnerability management strategies are not mature, according to the report, "Cost and Consequences of Gaps in Vulnerability Response," from the Ponemon Institute. Nearly 60% of cyber attack victims said installing an available patch would have prevented their breach, and 39% said they knew about a vulnerability before an attack occurred -- but never fixed it.
Also troubling is that 37% of the victims of cyber attacks said they never scan their networks and systems to see what they need to patch, according to the report.
Patch management is just one part of vulnerability management. Here's a deep dive into their differences, the important places they overlap and software options for automating them.
What is vulnerability management?
Vulnerability management is the process of managing the full, end-to-end lifecycle of security vulnerabilities from discovery to prioritization to remediation -- where a vulnerability is eliminated or mitigated to such a point that it poses minimal risk, said Mehul Revankar, vice president of vulnerability management, detection and response at Qualys, a provider of security and compliance software.
With vulnerability management software, IT can scan all the machines on a network, whether desktops or servers, and get back a report listing the known vulnerabilities, typically in order of criticality from high to low, according to Joshua Skeens, chief operating officer at Logically, a managed service provider (MSP).
From there, IT can do discovery on those vulnerabilities and determine what they mean to the organization's environment. "You may have a machine with a vulnerability, but because of where you have it on the network it doesn't necessarily pertain to you," he said.
What is patch management?
Patch management is the process, often executed in specialized software, of identifying, acquiring, testing and installing software patches, or code changes, on a computing device. A patch is meant to fix bugs, address security issues or add new features.
Patching is about plugging a security hole or applying a fix to software, said Matthew Hodson, co-founder and CIO of Valeo Networks, another MSP. In contrast, he said, "vulnerability management is the continual process of discovering, prioritizing, and then reporting and remediating a security vulnerability."
Both processes can take place on laptops, backup systems, servers, email, firewalls, endpoints and systems that run in the cloud, Hodson said.
Vulnerability management in action
As an insurance company, Aflac operates in a highly regulated industry. It scans over 50,000 assets across its global business for vulnerabilities every week so it can demonstrate to regulators that remediation work has been completed correctly.
By using Qualys vulnerability management, detection and response (VMDR) software to scan its assets for vulnerabilities, Aflac met regulatory requirements and cut key reporting tasks from weeks to minutes and has identified hidden vulnerabilities, according to Revankar.
"Aflac went from [about] 42,000 critical or high-severity vulnerabilities to more than 185,000 vulnerabilities almost overnight," he said. Within six months of using VMDR, the company reduced the vulnerabilities to 80,000 -- a more than 55% reduction, according to Revankar.
Where patch management and vulnerability management are similar and overlap
Vulnerability management and patch management are similar in that they are "deeply intertwined" and require IT and security teams to closely collaborate to achieve their respective goals, said Dave Gruber, a senior analyst at Enterprise Strategy Group (ESG), a division of TechTarget. Both require a comprehensive inventory of the hardware assets being used, the software operating on them and their configuration details.
The key difference between vulnerability management and patch management is that the former is designed to unveil risks and prioritize those risks based upon level of severity, whereas the latter assists in remediating risk by upgrading software to the most recent versions, according to Eran Livne, director of product management for endpoint remediation at Qualys.
"In some cases, the upgrade will solve the security risk, but in other cases it will only be partially solved, with constant monitoring or additional security measures needed," Livne said.
Timely patch management is critically important because more than 90% of exploitations occur after the patch for a vulnerability has been released, Skeens said.
"If you're not quickly and frequently patching, you remain highly exposed," he said, adding that in today's landscape he wouldn't run a business without both patch and vulnerability management.
With both approaches at their disposal, IT professionals sometimes have to decide which one is best for solving a given problem. For example, they could go to the software vendor to download and apply a patch to close a security gap, or they could close or limit access to the system using network access control or role-based access control (RBAC) -- a vulnerability management approach.
Patch management vs. vulnerability management: Tool differences
While vulnerability assessment tools and patch management tools typically operate independently and are deployed and managed by different people, they support common workflows, notably in risk assessment, prioritization and mitigation of vulnerabilities, Gruber said.
However, a patch management system will not be able to tell you if there's a vulnerability in a piece of software, but the vulnerability management system will, Skeens said. A patch management system will also notify IT that it is running three versions behind on a software system and needs to update it, he said.
Where they overlap is in using a patch management system to implement patches that the vulnerability management tool identified, Skeens said.
"You're not typically going to find a vulnerability management system that's all-in-one, meaning it won't patch the systems for you, only report on what it found," he said. "Then you need to leverage a patch management system to apply the patches."
This is why it is important to have a strong patch management process, Skeens noted, "because if you find 40 vulnerabilities, you need to have a process to determine which you apply first and then what machines do you apply [the patches] to."
Best practices for vulnerability and patch management
There is no silver bullet when it comes to vulnerability and patch management. "However, with significant product innovations and workflows, organizations can now follow modern best practices to significantly reduce security risk across their environment," Livne said.
First and foremost, implementing patch management without first practicing vulnerability management is futile -- they must work together, he stressed.
"Unfortunately, within most organizations, these two processes are carried out by completely different teams using completely different tools," Livne said. "Vulnerability management is typically overseen by the security team, while patch management is owned by dedicated applications and IT teams using a separate set of tools. This structure severely complicates remediation processes, sometimes leaving organizations to deal with tens of thousands of vulnerabilities in their environments -- [and thus] ripe for exploitation."
A foundational best practice is for organizations to understand that vulnerability and patch management are very much intertwined and must be overseen by the security team that is responsible for the end-to-end resolution, according to Livne.
"This step in and of itself will remove barriers that are a root cause for the high mean time to remediation (MTTR) that many organizations struggle with," he said. "IT and security can still work together to deploy the patch, but in owning the process, security teams can push instances to resolution much quicker and more efficiently."
Using the same product to detect, prioritize and remediate a vulnerability reduces the manual work required and allows both the IT and security teams to focus on the fix itself, he said.
There are five best practices Qualys advises IT organizations to follow:
- Scan daily. Ideally, the process will employ automated software agents to enable real-time visibility into an organization's vulnerabilities.
- Perform remote unauthenticated vulnerability scans. Doing so will help an organization understand an attacker's view of the network.
- Prioritize vulnerabilities. When pulling reports, first list the vulnerabilities that are known to be actively exploited by malware, ransomware groups, threat actors, etc.
- Patch high-risk vulnerabilities. Address high-risk and severe vulnerabilities first, especially on the perimeter, and in 48 hours or less.
- Optimize patch deployment. Automate patching of applications that introduce the most vulnerabilities to an environment and those that are not mission-critical.
For organizations to achieve success in their security posture, they must recognize that vulnerability management and patch management practices have similarities and complement one another, but ultimately are different, Livne said. "One cannot and does not supplement the other; they are two pieces to a whole process," he said.