Vendor Patches: A New World Order is Needed

Dwayne Thaele
4 min read
Vendor Patches: A New World Order is Needed

At the Black Hat 2022 conference, I was fortunate to attend former CISA Director, Chris Krebs’, keynote address. In his address, Chris made a bold statement: 

“Software remains vulnerable because the benefits of insecure products far outweigh the downsides. Once that changes, software security will improve — but not a moment before.” 

How true! Insecure code has created enormous security markets, with multiple tools and vendors. Looking at the exhibitors in Black Hat’s Business Hall, I noted that many vendors were promoting vulnerability management tools and services. 

But software vendors have created their own profitable market by releasing applications that aren’t fully secure while selling support contracts for patches and updates to secure their insecure applications. Talk about a limitless revenue stream. 

Even with their best efforts, vendors can’t fully secure their code. This is why a new world order is needed for patching. 

Old-world thinking

Everyone agrees that patching is important. The question is, what’s the best way to patch?  

The traditional view has been to rely on vendors to provide patches. Operations teams anxiously await vendor patches so they can test and implement them across their enterprises. While this approach may provide a sense of security to some, there are many drawbacks. 

Independent research firm Ponemon Institute conducted an extensive study for ServiceNow and uncovered both the benefits of vendor patches and the drawbacks. Leading drawbacks include:1

  • not enough resources to keep up with the volume of patches 
  • no common view of applications and assets across security and IT teams 
  • inability to take critical applications and systems off-line so they can be patched quickly 
  • difficulty in prioritizing what needs to be patched. 

Applying vendor patches is a reactive and passive strategy. Think of the boy in the Hans Brinker novel, trying to plug holes in a dike; soon there are more holes than he has fingers. And the larger security risks are from the “holes” that have yet to appear. 

In cybersecurity terminology, these vulnerabilities that vendors have not yet identified or reported are known as zero-day vulnerabilities. Zero-day vulnerabilities place clients in grave danger because vendor patches and traditional approaches to patching do not address them. 

Additionally, companies may not have the resources or opportunity to implement all available patches. They may find themselves in a menagerie of sorts, trying to prioritize patches, testing, deployments, and overall patch management. 

New-world thinking and a new-world order

What if there was a solution that stopped attempted exploits of known and unknown (zero-day) vulnerabilities before they ever reached a target application? And what if the solution had complete monitoring of these attempted exploits to immediately identify the attempts and orchestrate rapid mitigation responses? And regarding enhanced security, what if the solution received threat intelligence feeds that would be used to develop new rules, policies, and processes to mitigate future exploit attempts? 

This solution exists today and is based on virtual patching or shielding. Virtual patching is not new and is seen as a compensating control when traditional patching is not practical — which is quite often. Advances in automation, analytics, and security operations are generating much-deserved new interest, making virtual patching a mainstream security solution that provides order to the problematic world of patching. 

In a report on database and application vulnerabilities, the Aberdeen Group explains:2  

Virtual patching — sometimes known as external patching or vulnerability shielding — refers to establishing a policy enforcement point that is external to the resource being protected, to identify and intercept exploits of vulnerabilities before they reach their target. In this way, direct modifications to the resource being protected are not required, and updates can be automatic and ongoing.” 

Through virtual patching, the patching function shifts from passive-reactive tasks to active-proactive operations — operations that include real-time monitoring for malicious activities and attempted exploits against applications. And if incidents are identified, response teams will be alerted and mitigation playbooks initiated. Thus, responses to cyberattacks are rapid and thorough.

Automation is becoming more commonplace in responding to cyberattacks to quickly contain and minimize their impact. Virtual patching solutions can leverage automation and other advanced techniques as part of the overall security response to reduce risk from a potential exploit. 

There are a variety of ways that vulnerabilities can be mitigated by virtual patching, and that’s the beauty of it — virtual patching is flexible and adaptable. Typically, multilayer security services are employed to broaden a specific protection, beyond just patching known vulnerabilities. So, applications at layer 7 can be protected along with the network, transport, and other layers. 

As security needs arise, cybersecurity analysts can quickly create new rules and scripts to shield an application from identified weaknesses or bad actor tactics, techniques, and procedures (TTPs) as defined in the MITRE ATT&CK® framework. 

It’s common for solutions to be network-based and employ intrusion prevention systems (IPSs) and firewalls. Web application firewalls (WAFs) may be incorporated as needed, as well as distributed denial-of-service (DDoS) protection for more thorough application security. Under virtual patching, these technologies work in unison to block exploits — even zero-day exploits — and deliver a holistic application security solution.  

The move to virtual patching frees enterprise security teams from the never-ending start/stop, jerky model of managing vendor patches and delivers smooth-running, always-on security protection. When a managed security service provider (MSSP) is brought in to implement and manage virtual patching, security teams can be relieved of nearly all patching-related activities. 

Virtual patching is not patch management 

It’s important to note that virtual patching or shielding is not patch management. Traditional patch management solutions are valuable tools to ease the burden of the patching process and tasks. They include: 

  • scanning to identify unpatched applications and systems 
  • helping to prioritize which vendor patches to apply 
  • automating and orchestrating the implementation of patches, documentation, and reporting 

Traditional patch management solutions, however, remain limited to vendor patches and their shortcomings, leaving companies at risk. As noted, these solutions don’t guard against zero-day attacks. 

Moving forward

Virtual patching or shielding is not only a great alternative to traditional patching, it also offers responsiveness, operational efficiencies, and increased protections with zero-day coverage. 

If your company is finding it difficult to keep up with patching its applications — or you simply want better security coverage — then virtual patching is a security solution you should absolutely consider. And with managed security services that incorporate shields to secure applications, you will benefit from simplified adoption and operations and faster time to value. 

1 Ponemon Institute LLC. “Costs and Consequences of Gaps in Vulnerability Response.” April 5, 2018
2 Aberdeen Group. “Beyond the Patch: Reducing the Risk of Database and Application Vulnerabilities.” October 2016