Optimize Vulnerability Remediation with Proactive Zero-Touch Patch
Last updated on: December 20, 2022
Vulnerability remediation is a complex task, and most organizations struggle to identify, prioritize and remediate vulnerabilities efficiently. With the rise in vulnerability discovery, there is a correlating increase in ransomware attacks initiated through unpatched vulnerabilities. This has led IT and security teams to look for ways to optimize remediation SLAs by making their remediation program as efficient as possible. Plus, the pandemic is ever-changing, and many employees are still working from home (WFH), and their remote computers and other assets need to be continually patched and updated.These challenges increase the need for IT and security teams to work together to optimize their proactive and reactive patching practices to shrink their attack surface and strengthen their security posture.
Based on past empirical data, we know that most patches, typically released monthly by software vendors, are designed to fix vulnerabilities discovered in their products. Proactively deploying new patches on a regular (usually monthly) basis will remediate many new vulnerabilities even before the security teams run their vulnerabilities scans. Furthermore, the experience gained from monthly patching will help the team improve the efficiency of their patch process.
Qualys Patch Management (PM) takes proactive patching to the next level in terms of simplicity and efficiency. Creating new patch deployment jobs on a regular basis is simple; and because Qualys Patch Management is a cloud-based solution, it doesn’t require any special network configuration, including VPN access.
While most patch management solutions in the market today focus solely on proactive patching, that is not enough, as your remediation solution must also support simple and efficient reactive patching.
There are many reasons why the proactive approach will not fix all vulnerabilities. A successful remediation workflow must include the ability to efficiently and simply remediate vulnerabilities detected by vulnerability scans (reactive patching), which is different from scans for missing patches
In addition, even the best patch processes will not fix all patchable vulnerabilities: maybe some assets were missed and not patched for a specific vulnerability, maybe the vulnerability was found in a product that the patch team decided not to patch, or maybe the patch team was not aware of the risk of a specific vulnerability and therefore decided not to deploy the patch.
In most cases, the team that is responsible for vulnerability scanning and the team that deploys patches are different. It is therefore crucial that the patch and vulnerability management solutions share information for an efficient patch process. Patch teams need to use the vulnerability findings to efficiently create patch jobs – without all the time-consuming, mundane work that is usually involved in translating vulnerability findings into the actionable set of patches to deploy.
A key benefit of Qualys Patch Management is its unique ability to simplify the reactive patch process. The simplicity added by using one platform for both detection and remediation introduces a significant time saving which results in more patches deployed in less time. With Qualys Patch Management built on the same platform as Qualys Vulnerability Management, both the security and patch teams can use the same remediation workflows, saving you time in translating vulnerabilities detected in your environment to patches required to remediate those vulnerabilities. Because Qualys Patch Management and Qualys VMDR use the same Cloud Agent, assets are uniquely identified, and asset information is shared accurately between the different apps– transparently to you.
Smarter Patch Automation – Taking Proactive Patch Management to the Next Level
For most organizations, automating the proactive patch processes will save time and effort; however, each organization should decide the right patch cycles to automate based on what fits it best. Qualys Patch Management provides the flexibility to build the right automation process to fit your needs. For example, you can automate the entire Patch Tuesday remediation process or create a workflow to automate the deployment of Patch Tuesday patches – i.e., on a monthly basis deploy the newly released patches automatically. You can deploy all new patches or selected new patches, for example only deploy OS patches and/or third-party application patches based on severity or other criteria.
Another operational improvement is to automatically patch your low-hanging fruit. In many organizations, updates to browsers like Chrome and Firefox are easy to deploy and rarely cause problems if deployed automatically. Those products can be patched on a regular basis on all your devices – when new patches are released for those products, you can automatically deploy them. By automating the deployment of “easy” patches, the patch team can focus its manual patching efforts on ensuring that higher risk patches don’t introduce operational risk to the environment.
The new patch automation feature enables organizations to respond faster to newly discovered vulnerabilities. Leveraging Qualys vulnerability data and corresponding real-time threat indicators (RTIs), organizations can create zero-touch patch jobs that apply the relevant patches automatically when a new vulnerability with specific risk is discovered on an asset. For example, you can create a zero-touch patch automation job that responds automatically to new ransomware-related vulnerabilities which are actively used in attacks. Once such vulnerabilities are discovered on an asset, Qualys Patch Management identifies the relevant patches and deploys them automatically, regardless of asset location. This new capability not only allows faster response to the riskiest vulnerabilities but also saves the time and effort required from the security and IT teams to manually package, identify and deploy the relevant patches to on-premises and remote machines.
The Operational Risk of Deploying Patches – Smarter Automation
Qualys Patch Management supports many OS and third-party patches out of the box, allowing customers to efficiently remediate many vulnerabilities related to those OSes and third-party apps. However, in some environments deciding which products to patch and of those, which to automate is a process in itself. The security team, justifiably, asks to patch every application possible; on the other hand, the IT team understands that patching all available applications may introduce a higher operational risk to their environment. IT teams are responsible to ensure business applications continue to work regardless of the patch process. The more applications they patch, the more things can go wrong. Solving this “conflict”, i.e., deciding which products to patch and then which products to automate patching for is a hard problem to solve. As a result, for most organizations the decision of what products to patch is based on personal experience and is not based on empirical data because that empirical data is hard to get.
Qualys Patch Management solves this problem by providing empirical data for both the security and IT teams, data that can help prioritize which products to patch and to automate patching for. By mapping between vulnerabilities detected and products used in the customer’s environment, Qualys Patch Management can help organizations prioritize which products to focus on their proactive patch process in case the IT team cannot patch all products.
For example, assume that the following products are found in the customer’s environment: Chrome, Firefox, Adobe Reader, Plex Server and VideoLAN. From a security perspective it is recommended to patch all those products on a monthly basis. However, in case this cannot be achieved, Qualys Patch Management will help prioritize those five products based on which ones have introduced the most vulnerabilities in the specific customer environment for the past period of time. Focusing first on ensuring the products with the most vulnerabilities are patched on a regular basis will ensure that the patching team spends its efforts on patching the right products in the customer’s environment.
By combining the ability to recommend which products to patch on a regular basis based on empirical data with the ability to automate the patching process, Qualys Patch Management simplifies patch management and helps you remediate more vulnerabilities faster and more efficiently.
Get Started Now
Address the most critical threats like ransomware with efficient vulnerability remediation including automated patching based on prioritized vulnerability data. See for yourself by registering for a Qualys Patch Management free trial!
Great post Eran, this looks like a ration decent tool for vulnerability remediation.