The days when computing innovation was defined by the latest innovation in hardware is not dead nor is it the centre of discussion. With the maturing acceptance of cloud computing, we are in a period where software is at the heart of much technology-led innovation.
However, as organisations adopt a more software-defined approach as the centrepiece of their innovation strategy, we need to be reminded that software is not infallible. Software gets updated from time to time, and more often than we like to admit, there are deficiencies in the software that necessitate fixing.
A patch is a set of changes to a computer program, or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bug fixes or bug fixes.
Patch Management is the process of managing a network of computers by regularly performing patch deployment to keep computers up to date.
Asked why software remain vulnerable to exploits by hackers, Alex Tilley, head of intelligence research for Asia-Pacific at Secureworks, says because software is written by people, and people make mistakes, there is a potential that someone may have implemented parts of the code (program) in strange ways.
He goes on to add that given that there is a lot of money involved in finding security vulnerabilities and exploiting them and there is a lot of impetus on attackers and bad people to find those problems and holes. “So even if the software can be good for now, new and changing attacks and visibility of bugs can come out down the track, which is why we need to patch,” he adds.
The role of CISO in bug discovery
Given that software bugs, and by inference, vulnerabilities, are a fact of life, what is the role of the CISO when it comes to patch management? Should the CISO even be involved in what may be a routine IT operations activity?
According to Tilly, the CISO is well-positioned to understand how their organisation sits on the internet, or what their posture is like from a security point of view, and understanding that there's a new bug and a new patch and trying to figure out with the leadership and engineering team, what to do next.
From understanding the significance of the vulnerability and criticality of the patch, to how quickly the patch needs to be deployed. As well how it how impacts the organisation, these are ultimately questions that will arise for the CISO to answer.
“I think being aware that there are critical and very high severity patches that need to be deployed and making it an educated decision on that really does fall at the feet of many CISOs,” he went on to explain.
Ignore at your own peril
Patch Tuesday is an unofficial term used to refer to when some software vendors, like Microsoft, Adobe and Oracle, regularly release software to their software products. In the era of on-premises IT infrastructure, control over how frequently, and religiously, an organisation will apply these updates are left to the discretion of the organisation.
So why do some ignore applying these patches, in some cases, to their peril? Tilley attributes it to human psychology. He posits that some might have concerns over the patch negatively impacting current systems.
“I think a lot of the feeling around patching hesitancy is definitely around people not quite trusting that everything is going to be fine once they deploy that patch. Also a lack of understanding of the benefit of patches and application updates,” he continued.
He concedes that it is not just security updates, but new functionality and better-streamlined experiences. He posits that the messaging around patching needs to be that it is not just for bad things, but also the benefits of deploying the updates.
Compressing the time to update
Whether it is a regularly scheduled update, as in Patch Tuesday, or ad hoc releases to fix zero-day vulnerabilities, Tilly acknowledges the lag time between release and deployment of patches. He hints that the gap can be as much as months.
He laments that what often happens is that organisations can sometimes rely too heavily on some of those compensatory controls. “Some of those other boxes that they bought to protect their network and say they don't need to deploy that patch because we've got this control,” he continued.
He wants that in the real world that extra control “buys you a little more time because there are a million ways for a hacker to hack a system and that patch not being applied will only help the hacker give your business a very bad day.”
Using AI to automate patching
Acknowledging that for whatever reason relying on human nature to perform patching may not be the best option, can maturing technologies like artificial intelligence be applied to do the ‘dirty work’?
“I personally think that is a smart way to use AI and ML around patching. I don't think there is a particularly good way of automating the entire process end to end based on machine learning, but it can help to guide the size and help to guide those resources as to the best use of their time,” he opined.
Click on the PodChat player to listen to Tilley elaborate further on the importance of patch management in the post-pandemic, hybrid, multi-cloud environment.
- In your view, why do we need to do software patching? Don’t businesses already pay enough in terms of licenses to expect that the software they buy is 100% in good working order – no bugs?
- When a software bug is found, why does the CISO need to be aware of the patch that needs to be applied?
- We often hear that patching is sometimes ignored. Why is that? Why do people resist patching known bugs?
- How do we ensure that time-critical patches are performed? Who’s in charge here?
- One of the emerging technologies of the three years is intelligent automation. Can intelligent automation be applied to patching?
- What are the challenges CIOs/CISOs must address for patching to become a standard practice if it isn’t already? Perhaps draw lessons from the past?
- What would be a new year’s resolution to patching that takes into consideration the current environment we are in – pandemic, remote work, etc?