Peak Patch Management and Busy Work

I had a very interesting conversation with a friend who felt that patch management was “the solution” to vulnerability management. Under scrutiny he backed up, slightly, and said that it was “part of the solution”. Even so, I have some concerns, because we don’t know what to patch. Blindly patching things is either going to help or waste resources, and in a dearth of knowledge about what adversaries use and how they act, you can’t know which is which. Here was his argument:

‍

He gave me the example of a company he worked with that had something on the order of seven million vulnerabilities. They decided to do a multi-week halt of all activity to patch during that time period, and fixed a couple million vulnerabilities, leaving some number of millions unpatched. That was the end of his story. He awaited an applause or some reaction from me.  But I was simply confused by the anecdote.

‍

I was left asking, “So… is that a good story or a bad one, I can’t tell? Did you fix vulnerabilities that adversaries were using or would ever use, or was that just a lot of busy work?”

‍

By the look on his face, it was clear that I was supposed to believe that fixing a couple of million vulnerabilities is doing the right thing. That is what the industry preaches. Weeks of patching reduces risk, supposedly, and I am supposed to take that on faith. But if attackers never use the vulnerability, it isn’t really a risk, is it? It’s something else.

‍

I asked a follow up question, “Did you see anyone attempting to exploit the vulnerabilities that you patched, on your company or anywhere else?”

‍

“No… I don’t know,” he said, with a frown.

‍

I do not think he liked my question, and yet, he didn’t have a good retort. In fact, for the first time ever, he might have realized, to his horror, that he had no idea why he was doing what he did, because he could not answer my questions. It didn’t matter how smart he was, and make no mistake, he’s about as smart as they come. But he was working on the wrong premise - that any work was good work, no matter what he did. He previously believed that security work in particular was virtuous for its own sake, with zero data to back up those assumptions.

‍

So did my friend waste his time? How would he know? If you aren’t patching against what the adversary is doing or very likely to do, you cannot represent it as useful work. You have kept yourself busy, surely, and maybe reduced some vulnerability metrics along the way, or made a case to the board about why you need more funding, and there is some chance he did fix some issues that might be used down the road without having any proof even post mortem that was the case. Ultimately, that is not what we are employed to do. Or at least, it’s not what we should be employed to do. We should be focused on what the adversary is doing, or is very likely to do.

‍

It could be that we have reached peak patch management, where there is little to no net benefit to blindly patching anymore. It may cost you more to patch than the cost of the breach.

‍

If you create weeks of downtime and incur opportunity costs to fix issues of unknown risk, like my friend did, yet that work doesn’t improve the actual risks to the company, is that a good value to the company? I think the answer is absolutely not. The trick is knowing what matters, and that is what is implied in every conversation I have with people on this topic. They keep saying, “You can’t know what to fix,” but miss the second half of the sentence which is, “...because we have no idea what the adversaries are doing.” That is the real crux of the problem.

‍

Patching may be part of the solution, but not blind patch management. Blindly patching and disregarding where the adversary is focused or the vulnerabilities they are likely to use is not a good expenditure in all but some very limited situations. Everything beyond what is needed is busy work.

‍

Imagine a world where we tracked our work after the fact and asked if we saw anyone attacking the patches we deployed and we found out that none of it was ever exploited. How would we have justified that work? We would have had to admit because we simply had no idea and never bothered to figure out what the adversaries were doing, so we just guessed. And we now have enough data to prove that our guesses aren’t very good.

‍

So, the next step is asking yourself: what is truly needed? Where are the adversaries attacking and how do we stop those attacks specifically?

‍

‍