Establishing Business-Aligned Patch Prioritization Approach (Part 1)
How to Navigate Patching Challenges and Achieve Cyber Resilience2023 is the year of artificial intelligence, AI. The writing is on the wall - work smarter, not harder. This blog explains how to measure patching risk in financial terms and obtain business support for applying patches to critical assets by applying the 7 Rules Cyber Framework to excel in cybersecurity.
See Also: OnDemand | AI-Driven Endpoint Security: Adapting to Industry Changes
It's undeniable that AI operates tirelessly, without the need for rest, holiday or salary increments. Nearly every security product claims to be AI-enabled. However, one might encounter challenges when it comes to relying on generative AI, such as ChatGPT, to secure a change request for applying patches on critical assets.
AI can write a compelling-looking business case for the change request supported by an implementation plan and a rollback plan. But persuading the human change approvers to approve these requests is no easy task. After all, AI remains a tool to assist us, at least for the time being. Asset owners must hold people, not software, accountable for the decisions and the associated business risks.
People care about the consequence of their decision. For AI, it is merely an algorithmic thing. It will likely enhance its persuasiveness in the upcoming change request, with little remorse for past failed changes. Therefore, business-aligned risk language is needed to give real assurance and reinforce the urgency to humans responsible and accountable for patching systems and applications. Simply put, business alignment is needed to elevate agreement to commitment. An agreement is derived from logic enabled by data and risk quantification, while commitment requires influencing behavior with a strong people connection.
The Eternal Patching Cycle
This article delves into the effectiveness of the communication and implementation of a business-aligned patch prioritization approach. While there is a broad acknowledgement of the importance of security patching as a foundational control, there are constant challenges with implementing it. These include operational priorities, legacy applications and end-of-life systems. Patching almost feels like the Greek mythology of Sisyphus rolling a giant boulder up the hill, only to have it roll back down once reaching the top. While the story of Sisyphus is romanticized by some as an example of grit and determination, I am sure cyber defenders would rather get some sleep.
Therefore, the patching process must be prioritized to cope with these operational constraints by targeting the patching effort based on asset sensitivity and the organization's current threat landscape. In other words, cyber defenders must work smarter rather than harder. But the lack of an effective patching prioritization process creates a significant cyber risk issue along with non-compliance with regulations and standards. Closing these gaps requires an effective way of managing cyber risk conversations with the business executives and boards. There needs to be a better way to communicate by using clear business-aligned messaging and objective measurements.
These measurements serve to expose the common misunderstanding between the patch prioritization algorithm and policy. Patch prioritization algorithms are designed for recalculating the weighted CVSS rating of a vulnerability based on technical parameters such as publicly available exploit code or active exploitation in the wild but with little consideration of the operating business environment.
Patch prioritization approach closes this gap by establishing a business context for prioritization algorithms. This is achieved by incorporating appropriate strategic and operational considerations from business stakeholders, technology and risk teams. These insights enable organizations to determine whether the patch prioritization policy needs to be updated or whether operational teams require more training on the algorithm and policy. It is clear then that effective communication of patching risk is crucial to the success of a patch management program.
From Awareness to Implementation
While building a deep understanding of the mechanics of patching prioritization generates awareness and confidence for the cyber defenders, convincing the board, regulators and customers of the prioritization approach demands elevating the conversation from awareness to implementation. This requires a culture that moves toward being exceptional. This trait is needed to overcome the human instinct to resist change to enable a common good.
Let us draw an analogy. For too long, consumers demanded free single-use plastic bags at supermarket checkouts, despite being warned about the environmental hazards caused by discarded plastic waste. This practice was widely accepted until single-use plastic bags were phased out. The commonly cited excuse was, "Why not? Why would we decline a free single-use plastic bag when its cost is already factored into the purchase price?"
Refusing a free plastic bag feels like short-changing ourselves. We now realize that this line of thinking overlooked the environmental consequences we bear through microplastic pollution, which affects the ocean life, the wildlife and ultimately, ourselves and our families through the contaminated food chain.
The same conundrum plays into patching policy considerations. Security standards such as PCI DSS Requirement 11.3.2.1 demands all vulnerabilities with a CVSS score of 4.0 or above be remediated. Research published by CVE Details found vulnerabilities with a CVSS Score of 4.0 or above represented 77% of all reported vulnerabilities in July 2023.
FIRST.org, the maintainer of the CVSS Standard, established the Exploit Prediction Scoring System, EPSS, Special Interest Group to assist network defenders in better prioritizing vulnerability remediation efforts. However, until security standards such as PCI DSS are updated to recognize EPSS scores, business stakeholders might be reluctant to approve changes to their vulnerability management policy to take advantage of these newer practices. Staying with the status quo might appear to be a safer bet at the expense of the consequence of relentless practice in patching. Taking on these new paradigms requires courage, leadership and a commitment to being exceptional at cybersecurity.
This is Part 1 of this post, where we present the business case for Patch Prioritization. In Part 2, we will walk through how to apply the 7 Rules to build team commitment to tackle this overlooked challenge. Our analysis is illustrated by a current real-life conundrum that could lead to personal regulatory liability.