MANAGED SECURITY SERVICES
Vulnerability and Patch Management
The guidance to reconcile assets, conduct scans, and remediate the right vulnerabilities before they result in compromise
Vulnerability and Patch Management is the practice of identifying and remediating known bugs in software that pose a security threat. During the process of improving and upgrading software, vulnerabilities are fixed even as new ones are inadvertently introduced, in a constant cycle. For organizations, it is a perpetual exercise in weighing the risks and rewards of patching or upgrading to stay ahead of vulnerabilities. This decision-making process can be complex.
Operating systems and software applications comprise the bulk of any organization’s attack surface. While there is no such thing as an invulnerable environment, the practices of vulnerability and patch management are the only way to continually minimize opportunities for attackers.
Below are a few use cases to help you evaluate your need for a vulnerability management program:
In a word, yes. It’s not feasible or sustainable for an IT Manager or even a handful of security engineers to manually track vulnerabilities in an enterprise scale infrastructure. The cost of VM tools and a managed services group to operate them could quickly appear to be a bargain compared to the mess that can occur with an inadequate program or the price of full-time dedicated engineers.
This question must be answered with every vulnerability that’s published. While a critical zero-day vulnerability may result in an unavoidable incident response cost, published vulnerabilities are more an actuarial calculation. What’s the potential for breach or loss of data? What’s the potential downtime of services from an attack? These consequences have dollar values attached to them that may justify the risk of breaking a system with the security patch.
First and foremost, the benefit of VM is actionable data – meaningful insights derived from vulnerability data, asset scans, and prioritization of findings. There are always going to be a lot of vulnerabilities, so to act with efficiency takes some expert analysis. This should be a provider’s first service deliverable for you.
Secondly, a provider should seek to understand the unique risk of your business. If your industry exposes infrastructure and services in a particular way, then the approach to vulnerability management should reflect that. For example, infrastructure that runs critical systems like a nuclear power plant may warrant a more judicious hand.
Ultimately, a managed services provider should be able to examine your unique scenario and advise on a precise strategy for remediating your vulnerabilities.