It might be possible to patch every Windows system at a large global bank within three days, but the business disruption required would probably be unacceptable.
So what is a reasonable time frame for fixing security vulnerabilities?
A bank in Brazil, a retailer in Singapore and a government agency in the U.S. would each have different answers to this question, as the threat landscape is different for every organization.
Perceived “industry standard” vulnerability remediation time frames do not account for organization-specific constraints, technology cohabitation considerations, internal policies or external compliance requirements.
The real-life situation is much more nuanced, says Craig Lawson, VP Analyst, Gartner.
Learn more: Gartner Security & Risk Management Summit
“What’s important is turning ‘whether a platform gets patched’ into ‘whether the specific risk of platform vulnerability has been sufficiently mitigated’,” says Lawson.
This requires that organizations take a more structured risk- and fact-based approach to vulnerability management as part of an overall security program.
How fast is fast enough in vulnerability management?
The sheer volume of reported vulnerabilities means that organizations are challenged to remediate them in appropriate time frames.
Based on how fast vulnerabilities can be exploited, organizations must be prepared to perform emergency remediation on key systems within hours of a vendor releasing a patch to address a vulnerability, as well as heavily invest in mitigation measures. They must also continue to refine their remediation process maturity to achieve nonemergency remediation across all system types within weeks, rather than months or years.
Gartner recommends four best practices to operationalize effective remediation time frames.
1. Align vulnerability management to risk appetite
Every organization has an upper limit on the speed with which it can patch or compensate for vulnerabilities. This is driven by the business’s appetite for operational risk, IT operational capacity/capabilities and its ability to absorb disruption when attempting to remediate vulnerable technology platforms.
Security leaders can align vulnerability management practices to their organization’s needs and requirements by assessing specific use cases, assessing its operational risk appetite for particular risks or on a risk-by-risk basis, and determining remediation abilities and limitations.
2. Prioritize vulnerabilities based on risk
Organizations need to implement multifaceted, risk-based vulnerability prioritization, based on factors such as the severity of the vulnerability, current exploitation activity, business criticality and exposure of the affected system.
“One of the biggest changes you can make is to focus on the vulnerabilities that are being exploited in the wild. That should be the No. 1 goal and will drive down the most risk the fastest,” says Lawson.
3. Combine compensating controls and remediation solutions
By combining compensating controls that can do virtual patching like intrusion detection and prevention systems and web application firewalls with remediation solutions like patch management tools, you can reduce your attack surface more effectively while having less operational impact on the organization. Newer technologies like breach and attack simulation (BAS) tools also provide insight into how your existing security technologies are configured and whether they are capable of defending against a range of threats like ransomware.
Often, it’s simply not possible to patch a system if, for example, the vendor has not yet provided a patch, the system is no longer supported or for other reasons like software compatibility. Highly regulated industries also have mandates that can restrict your ability to perform functions like patching.
“Patching isn’t everything,” Lawson says. “It’s hard, can break things and takes time. Have a plan B — you need more arrows in your quiver than just patching.”
“If you do a better job with your vulnerability management program, you can reduce your attack surface substantially. This allows you to present as a harder target for a threat actor to try to gain some leverage inside your environment. That’s why this is a big deal.”