Better Patching Priority

What to consider when prioritizing risks

Vincent Liu, Partner, Bishop Fox

March 11, 2013

5 Min Read
Dark Reading logo in a gray background | Dark Reading

There are lots of different opinions about the best ways to tackle security risk. In a recent blog post titled "The Best Way to Spend Your Security Budget," Larry Seltzer says there is one burning issue that should be at the top of everyone's list: SQL injection.

If only it were that easy.

There is no "one size fits all" solution because every company and their needs are different. Seltzer's advice is that the simple answer for companies is to spend their security budget to prevent SQL injection. I disagree. There are also the unknowns that surround a company's security concerns. Looking only at Web applications, using a Top 10 list developed through limited industry consensus, and selecting just one issue is not the best approach.

The blog also mentions prioritizing risks; I would agree that many vendors spend every marketing dollar they have to focus people only on the shiniest solutions to the "latest threat." But the latest threats are rarely the ones companies should be most concerned about. The biggest risks facing companies are the ones they already know about and for which solutions already exist. Just because a threat is new doesn't mean it's always worth your time to go chasing after it. And just because something shows up at the top of the OWASP Top 10 doesn't mean it's the most important problem facing your organization.

Imagine a large property with no fence or borders, and people come and go from the property as they please, using the resources as they see fit. There is no security camera to track what individuals do on the property, or what type of assets are being manipulated or information exchanged. Ask any security professional and they'll tell you that this property is not only lacking security, it is vulnerable to all sorts of malicious activity and obviously needs a security update – perhaps that a fence is the top priority. But you can't say that a missing fence is the biggest priority without context. What if you learned that this property is also a public park? Your perspective and priorities change.

Multiple factors must be considered when looking at your enterprise exposure. A more comprehensive approach to security budgeting is to take into account both environmental variables and business interests. Patching is a great example of this.

Patch management requires you to consider vendor security suggestions, but your primary focus must be on your company itself so you can prioritize patches in an order most beneficial to your needs.

When a patch is deployed across thousands of systems, a common approach is to use the vendor's patch severity rating alone to dictate the rollout priority. This order of implementation, though seemingly effective at first glance, is not necessarily the most secure way to patch your enterprise assets. Vendor severity ratings are created under the assumption that the target systems exist in isolation and only consider the updates on the most mechanical level. They don't take into account how your organization uses individual machines. Because of this, all systems are treated equally even if they aren't. A computer set up to run welcome videos in the lobby doesn't handle the same type of information as one managing monthly financials. Patching that computer over your primary servers because of a vendor rating simply doesn't make sense. It is important to consider other factors and environmental characteristics to develop a more sophisticated, risk-based approach to patching.

When you prioritize with purpose, you reduce threats with greater efficiency. If you use just one more factor, such as which systems are considered absolutely critical, and combine it with patch severity level (provided by vendor), then you can achieve greater risk reduction by applying the most severe patches to the most critical assets. More risk reduction, faster results.

This also holds true for a software patch that may not initially be rated as severe. Depending on your company's infrastructure, certain vulnerabilities could actually have a high business impact if exploited. Clearly, this is something you want to patch right away. Without applying your knowledge of your unique environment, a critical system may sit unpatched for an unnecessarily longer period of time.

Using a multifaceted approach to patch management requires having information about the systems you're protecting -- both readily available and current. The same is true with any kind of risk prioritization. You can't secure what you don't know about, so having an updated, prioritized inventory is essential to protecting important company assets.

If you consider how many factors are needed to make an informed prioritization decision, following a set of written guidelines and to-do's doesn't account for environmental changes or unexpected problems. Your best bet for defending your organization is to apply the unique knowledge you have about how it is set up and the environment in which it runs.

If you only prepare for threats coming in one way, you're setting yourself up to be hit by an attack coming in from another.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. He has coauthored several books including Hacking Exposed Wireless, 1st and 2nd editions, Hacking Exposed Web Applications, 3rd edition, and the upcoming Web Application Security, A Beginner's Guide. He can be reached on Twitter @vinnieliu

About the Author

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights