Why Vulnerability Patch Management Shouldn’t Be Tied to a Schedule

By Jim Jackson, President and Chief Revenue Officer at TuxCare

Compliance is a serious duty within cybersecurity, IT and related management roles. It’s only getting more stringent as industry regulations and legal requirements continually expand. And potentially creating a perfect storm, that duty is getting all-too-real with a growing number of legal actions that illustrate there is now a clear and escalating desire to more directly hold c-level and even board-level personnel more accountable for cybersecurity failures.

Many hindsight-based looks at cyberattacks likely start with a gander at the most basic responsibilities – including addressing KNOWN vulnerabilities in a timely manner. All stakeholders involved, especially if there are many millions of dollars at stake for any number of reasons, naturally want to know just how committed and consistent all related responsible personnel were to the deployment of data protection processes.

Unfortunately, it’s this commitment to protection that can be translated a whole host of ways, let alone the fact that it all-too-often results into a “schedule” of ongoing and even calendarized events to bolster an organization’s cybersecurity stance. Vulnerabilities in existing code, for example, obviously aren’t necessarily discovered or fixed during business hours, or even business days for that matter. Thus, if those tasked with patch management at a company are made aware of the fact that a patch is readily available for a threat, how much time between that moment and the deployment of the patch is acceptable? That’s not a debate that should exist, as that threat window shouldn’t be any longer than is needed. It definitely shouldn’t be dictated by artificial schedules in the first place.

By leaving a patch to be deployed later, even just a few days or a couple weeks later, a truly obvious security hole exists. And it’s innately known as that point as well. It doesn’t really matter that management has a reason (even a seemingly understandable reason) for the gap, or risk window. Waiting for reboots or scheduled downtime can result in huge problems if the committed, clever criminals find that gap and take full advantage of it. Remember, the bad guys also know when such holes likely exist.

Patch management needs to include live patching – the act of deploying patches without the need for system downtimes or waiting for reboots. Organizations should equate “proactiveness” with “live” in relation to patch management. After all, a patch means something is available to remedy a scenario that could otherwise lead to massive problems. And since the exploitation of today’s unending number of vulnerabilities still stands as the most common doorway for hackers, it’s reassuring both for management and all stakeholders to know that automation, and not prolonged schedules drive the timing of patches.

So, with automated patch management comes speed and peace of mind. Additionally, it enables an organization to cost-effectively become more consistent in its method of addressing vulnerability patches as they become available rather than as the organization can accommodate the task. It’s this link between patching and automation that can help fortify a plan to not only APPEAR proactive in regard to compliance, but to actually BE among the speediest in doing so.

About Jim Jackson

Jim Jackson serves as President and Chief Revenue Officer at TuxCare. A global provider of enterprise-grade security automation for Linux, TuxCare provides new levels of efficiency for developers, IT security managers and Linux server administrators seeking to affordably simplify and enhance their operations.

 

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display