How to Avoid Emergency Patching Debacles and Stay Secure in 2022

No need to remind anyone in IT or SOC departments of the 2021 Log4J debacle.

The publication Log4J vulnerability led to a particularly acute crisis due to its sky-high CVSS score, its ubiquitous prevalence, and its ability to hide under several nested layers or in transitive dependencies. The crazy patching cycles, requiring four patches in less than four weeks, only made things worse. Yet, there are many other less publicized crises that only become famous when a household industry name is involved or when a supply-chain attack threatens a wide array of potential targets.

By then, the scramble to patch might be already too late, and patching too fast might lead to inadequately applied patch due to stress.  Not to mention the disruption in everyday life due to frantic calls to drop everything, leave your daughter’s wedding or cut your fishing trip short to apply the patch now, lest all hell break loose. 

Data indicates that 2022 is likely to have a rich vulnerability year. The University of Bonn identified the underlying factors that increase the risk of widespread emerging critical vulnerabilities. Open-source software packages typically stored in online repositories are widely used in a wide array of applications, turning these repositories into “a reliable and scalable malware distribution channel.”   

This is aligned with the Sonatype 2021 State of the Software Supply Chain yearly report findings. That report indicates that in 2021, the world witnessed a 650% increase in software supply chain attacks aimed at exploiting weaknesses in upstream open-source ecosystems, a marked increase from the already high 430% increase in 2020. 

In other words, even stellar patching habits are only going to get you so far, as not only is open-source code slower to patch than commercial ones, but it is also nested in supply-chain code, making you dependent on suppliers’ patching habits as well. 

Maintaining good cyber-hygiene – easier said than done

The recommendation of maintaining cyber-hygiene remains true since the dawn of cyber-attacks and is critical to minimize the risk from vulnerabilities, both known and unknown.

Yet, the ESG research on Security Hygiene and Posture Management Survey found that, though 86% of organizations believe they follow best practices for security hygiene and posture management, 70% use more than ten security tools to manage security hygiene and posture management. This results in a challenging combination of multiple data sources and time-consuming processes. 

Security asset management challenges  

69% of organizations admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset. 

44% of organizations claim that establishing an inventory of hybrid IT assets involves different organizations, which makes it difficult to coordinate activities, 40% say that conflicting data makes it difficult to get an accurate picture and 39% report that it is difficult to keep up with thousands of changing assets. It is also noteworthy that one-third of organizations depend on manual processes, making it difficult, if not impossible, to manage security assets at scale. 

Vulnerability management challenges

When it comes to vulnerability management, the biggest challenge was to keep up with the volume of open vulnerabilities, closely followed by “Automating the process of vulnerability discovery, prioritization, dispatch to owner, and mitigation” and “Coordinating vulnerability management processes across different tools.” 

Regarding the approaches to vulnerability prioritization and patching, the inclusion of Vulnerability Prioritization Technologies (VPT) is still a minority, with only 29% using Risk-Based Vulnerability Management (RBVM). The most advanced VPT, Attack Based Vulnerability Management (ABVM), was not included in the survey. 

According to the Ponemon/WhiteSource “Reducing Enterprise Application Security Risks: More Work Needs to Be Done” report, the endemic vulnerability patching backlog issue is only getting worse, selecting a VPT that ensures that critical vulnerabilities are patched first 

 

Emergency Patching Graph

 

So, what are the key focus points of security posterity hardening? 

Looking at the positive aspects of hardening security posture provides a better understanding of how to limit the potentially catastrophic unpatched vulnerability damages. 

  • Restoring visibility on all assets is possible and will avoid falling victim to undetected vulnerabilities hiding in forgotten or unregistered assets. 
  • Exploited vulnerabilities’ harmful effects can be minimized by design – tightening security controls and applying sound privilege access management goes a long way as adversarial behavior after intrusion follows patterns, and preemptively hampering their progression is achievable. 
  • Patching vulnerabilities can be streamlined to match your infrastructure to drastically reduce the number of vulnerabilities to patch while improving your security stance, including on mobile and web applications. 
  • Exposure to emerging exploits can be limited within a shorter time than it takes your security vendor to update its IoC list. 

 

How can you achieve these security posture improvements? 

 Some of this can be achieved from a defensive perspective, but the combination of human error and resources scarcity means it is better to ensure that your attack surface is fully covered, that your security controls are optimally configured, that vulnerabilities critical to your infrastructure are patched with the highest priority and that you block IoCs of emerging threats to which you are vulnerable as soon as possible, even before your security vendors update their IoCs listings. 

Adopting an extended security posture management approach enables you to continuously validate the efficacy of your defensive array as well as prevent security drift, ensuring a stable, quantified, and reliable evaluation of your security stance. 

An extended security posture management approach covers all the aspects listed above. 

  1. To comprehensively list assets, automating the behavior of a malicious actor running recon on your company uncovers invisible assets such as shadow IT, forgotten URLs, non-disabled legacy accounts, etc.
    Cymulate Attack Surface Management (ASM) module scans for internet-facing digital assets of sanctioned and shadow IT, leaked credentials, and organizational intelligence that can be used in a social engineering attack. It then analyzes the findings for high-risk vulnerabilities, misconfigurations, and exploitable organizational intelligence and provides mitigation recommendations. 
  2. To limit the structural exposure to vulnerabilities, it pays to identify exactly where loose security controls can be used as a point of entry or to escalate or move laterally. The most efficient way to achieve that is to run a continuous security validation such as BAS. Even preemptively following CIS Controls recommendations is only effective against 86% of the MITRE ATT&CK framework (sub-)techniques. 

Cymulate’s Breach and Attack Simulation (BAS) module runs all the attacks in the MITRE framework, uncovering exposure to any of them and providing actionable mitigation recommendations. 

Cymulate Advanced Purple Team Framework enables red and blue teams to work in tandem to design exploits and test their environment resilience to unknown threats. 

3. To prioritize vulnerability patching in line with the risks posed to your infrastructure, the most efficient way is to identify the vulnerabilities exploited through: 

  1. Step 1: Launching a comprehensive array of production-safe attacks  
  2. Step 2: Identifying their points of entry, and escalation and lateral movement patch
  3. Step 3: Prioritize patching based on the exploited vulnerabilities by order of criticality  

Cymulate’s Attack-Based Vulnerability Management (ABVM) module does exactly that. 

4. To minimize exposure to emerging threats, the goal is to add actionable intelligence in the incorporation of emerging IoCs and TTPs to the detection solutions as soon as possible once a new exploit is detected. 

Cymulate Immediate Threat Intelligence (ITI) module deploys production-safe emerging threat assessment with detailed and comprehensive and testable IoCs and TTPs daily updated lists days, sometimes weeks before mainstream detection solutions update their database. 

Staying secure in 2022 requires staying ahead of cyber-attackers. This implies continuously validating that the defensive systems in place are working as intended, that vulnerabilities most likely to be exploited successfully are patched first, and that the window of exposure to emerging threats is shortened to a minimum. 

Book a private demo now and see the platform in action.