Vulnerability fatigue – why you need to get on top of patch management

More and more vulnerabilities are being discovered every day, leaving in-house teams struggling to provide corrective patches quickly. Hackers are taking advantage of this lead time to analyze information systems, find vulnerabilities and launch successful attacks.

Last year alone, 22,000 new vulnerabilities were published. At the same time, 80% of attacks are being carried out on known vulnerabilities, which indicates that enterprises are generally slow to patch. Approximately 25% of new vulnerabilities are patched in a month. Move along eight months, and only 75% of new vulnerabilities are normally patched. This means some vulnerabilities are never patched at all.

The rise of patching fatigue

Patching management has a crucial role to play in minimizing security risks for enterprise information systems. Managing patching, however, can be overwhelming with new applications being added at a significant rate, increasing the complexity of the IT environment. The arrival of the cloud platform has exacerbated this. At the same time, many enterprises don’t have enough skilled people on their IT teams to stay on top of patch management. Poor security hygiene when it comes to patching means that vulnerabilities will stick around, providing an additional attack vector for cybercriminals.

At the same time we are all using more and more technologies. To reach a website, for example, you may need to use ten technologies, such as connectivity, a browser, software to connect to the ISP and so forth, to get to your chosen destination. Vulnerabilities can appear in different parts of an enterprise’s information system, which it is why it is increasingly difficult for IT teams to track vulnerabilities from every vendor.

IT teams are also being engulfed by the amount of information flowing in on vulnerabilities from forums, newsletters and so forth. They may get basic vulnerability alerts from vendors, but from the many information sources flooding in, it is almost impossible for them to sift out the knowledge they need.

The possible outcome is a frightening one. If patches aren’t done straightaway, they are often forgotten. This means sensitive information can be exposed to cybercriminals who will siphon it off and sell it on the dark web – without the enterprise even knowing they have suffered a breach.

Partner to get patching back on track

The sheer volume of security patches consumes a huge amount of an IT team’s time. Partnering with a vulnerability expert can dramatically reduce the burden and stress of vulnerability management on internal resources. For this reason, Orange Cyberdefense has set up an extensive vulnerability intelligence service portfolio, allowing enterprises to choose the specific services they require.

By delegating vulnerability monitoring to Orange Cyberdefense, recommendations generated can help enterprises to prioritize remediation actions and improve reactivity. Flaws can be detected precisely in systems using our automatic scanning feature, searching for vulnerabilities in networks, systems and applications. Our services can also test information systems for weaknesses using a simulated attack and check for flaws in applications before they are released.

A la carte vulnerability intelligence

The Vulnerability Intelligence Watch service from Orange Cyberdefense is different from other services on the market as it doesn’t just offer up official sources for recognizing vulnerabilities. It also scans semi-official sources, such as forums and newsletters, and has experts trawling the deep dark web to find so far unidentified vulnerabilities.

Customers need to list infrastructure components in the administration portal they want monitoring, drilled down to the specific products and versions. For each product, information on the business, image and legal impacts a vulnerability may have on the company is requested in order to contextualize the threat. Details of vulnerabilities are sent to the enterprise via email and SMS. Information can also be accessed via the portal. If a correction can’t be found for a vulnerability, our in-house team will find a work-around. A tool on the portal tracks vulnerability corrections to show if IT teams have corrected the vulnerability as scheduled.

A value-added press review is offered to customers. Every day we harvest articles from global media, security experts, academics and so forth, so that enterprises have one point of access for a detailed overview of what is happening with cybersecurity globally. Enterprises are spending upwards of 30 minutes per day tracking this information, so this service is hugely time saving.

Our Detect Service can automatically scan a customer’s corporate network internally and externally to map for vulnerabilities. Enterprises have a picture in real-time of what is going on with their network and can instantly see what element is impacted by which vulnerability.

We also provide an Ethical Hacking Service. Customers tell us which are their principal assets, and we try and reach them by any means possible. We also use social engineering, contacting employees and asking for sensitive information to see if we can get into systems. This service shows enterprises where their weaknesses are and how they can improve their security.

Finally, we offer Check Code, a service that focuses on the source code of an application or website, scanning for vulnerabilities before it is launched or during the software development life cycle. This service is very specific and may be of interest to e-shops or banks looking to launch a new app, for example.

The effective cycle of vulnerability management

Bringing these four solutions together simplifies understanding of our portfolio and also offers an effective cycle for vulnerability management.

Firstly, it is important that the customer anticipates threats and is proactively informed as soon as a newly discovered vulnerability impacts the business. Via the bulletin received with the Vulnerability Intelligence Watch solution, customers can prioritize and then apply the appropriate corrections. It is important to check that the vulnerabilities are no longer there by scanning the network with Vulnerability Intelligence Detect or checking the source code of an application with Vulnerability Intelligence Check Code. As a deeper level of control, we offer Vulnerability Intelligence Ethical Hacking, using vulnerabilities (technological or human) to reach sensitive data and show customers all the “open doors” that need to be closed to protect their business activities.

Don’t sit and wait for an attack

The likelihood of your enterprise being attacked is rising every day. There has been a 13% increase every year since 2014 on new vulnerabilities being discovered – and this isn’t going to slow down any time soon. It is therefore critical that you have robust vulnerability management in place to ensure the proper preventative measures are taken against attack.

IT infrastructures are now a critical part of business. If you can’t look after their health yourself, it makes sense to partner to make sure vulnerabilities don’t slip through the net – at the same time freeing up IT teams to focus on business projects that boost the bottom line.

Vulnerability Intelligence is just one of the many Threat Management services offered by Orange Cyberdefense. Find out more about Threat Management – a necessity for securing what matters.

Mélanie Pilpré
Mélanie Pilpré

Mélanie Pilpré has been a security product manager for remote access services and vulnerability management solutions for Orange Cyberdefense for the past three years. Mélanie finds cybersecurity fascinating as it is always evolving but is also highly strategic.