[BreachExchange] Security Think Tank: Apply risk-based approach to patch management

[Audrey McNeil]

http://www.computerweekly.com/opinion/Security-Think-Tank-
Apply-risk-based-approach-to-patch-management

The old mantra of “patch everything” is long gone. Many organisations
cannot keep up with the multiplicity of systems and applications that need
patching as IT becomes ever more pervasive, bring your own device (BYOD)
increases, and testing all the combinations of devices, apps and operating
systems becomes impossible, given the resources available.

As a result, organisations need to move away from the “patch everything
100%” and apply risk management to focus on critical systems and deploy
limited resources to maximum effect.

Organisations need to identify the information that is most valuable, and
the information they need to keep their operations running – such as
patient records, backups, financial data – and the risk of its
unavailability.

Lack of availability also needs to be examined, and not in terms of weeks
or months, but in terms of minutes, hours or days. The impact of the lack
of availability should be identified in business or customer-service terms.
This means that the business managers and people who use the data on the
“front line” will have to be involved in this risk assessment.

Once the impact is known, the systems where the information is stored and
processed (at a minimum) should be identified, and then a patching regime
for those systems can be created.

The backups – and the systems those backups reside on – should also be part
of the same patching regime. If the systems are outsourced, the contract
needs to have specific patching and recovery clauses inserted.

The patching regime should involve automated patching, with manual
follow-ups to ensure these systems are up to date. Operational requirements
will have to take second place to patching under this regime: patching is
an operational necessity.

For other systems, automated patching is the way forward, using in-built
processes in the operating systems where possible. Organisations will have
to understand that 100% coverage will not occur so other processes and
procedures must be in place to mitigate the effects of missing patches,
including incident management.

For legacy systems and software, where patching is not an option,
organisations will need to look at replacements, or other ways to minimise
vulnerability, such as separate networks, controlling access to data and
cloud provision. These systems and the appropriate solutions should be
prioritised as these represent the greatest risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170626/a6085b41/attachment.html>