As we enter 2023, it’s a rare day that newsfeeds don’t include stories of companies implementing staff reductions or hiring freezes. Business is clearly preparing for a lean 2023, and it’s likely cybersecurity teams won’t be inoculated against the coming pain. That’s bad for cybersecurity teams for obvious reasons, but worse for the overall cyber risk of the business community. Cyber criminals read the news too, and they’re likely familiar with Winston Churchill’s timeless advice, first delivered to the world as WWII wound down: “never let a good crisis go to waste.” Evidence suggests they won’t. In the last economic downturn prior to the pandemic (2008), the FBI reported a 33% increase in “fraudulent internet activity” (the prior two years there was actually a decrease). It’s unlikely 2023 will be any different, bringing us to the subject at hand: automated patching.
Can Auto-Patching Save Resources?
Automation in contemporary cyber security products is often synonymous with complex and highly-promoted technologies like ML and AI, or UEBA. Certainly, advanced technology has its place in addressing the never-abating skills and resource shortage that has plagued cyber security and information technology for years, but we’re an industry filled with engineers and others fascinated by technology, and sometimes that pedigree deludes us into believing technology is an end in and of itself. Moreover, that enduring industry prejudice can mask less technically-breathtaking solutions that can be substantially more effective in achieving the goal of manpower savings. Auto-patching is a prime example. Nearly all operating systems and applications offer an auto-patch capability, but vulnerability remediation teams are often hesitant to leverage auto-patching. Why?
Why isn’t Automated Patching Used More?
For those in the vulnerability remediation business, this question is rhetorical. For everyone else, the answer is that patching can break things, disrupt network operations, and make life miserable for remediation teams (and those they serve) when things go awry. Thus, blindly enabling auto-patching, crossing fingers and hoping for the best is a remediation strategy rarely embraced by the vulnerability remediation community, understandably. But notably, this auto-patching apprehension is more the result of human nature than it is technology deficiencies. In reality, a very low percentage of patches are ever rolled back (some proprietary studies put the number of roll-backs at less than 2%), arguing for a much more aggressive use of auto-patching. And yet, an aversion to leveraging auto-patching persists, unpatched vulnerabilities mount, and the cyber risk of typical enterprises increases. But again, this makes sense. Although less than 2% of patches are rolled back, remediation teams have no insight into which patches are safe to auto-patch, and which may fall into the 2% category, so trepidation is not only appropriate, but a perfectly responsible emotion when it comes to auto-patching.
Can a Patch Breaking Something be Predicted?
Until recently, no. Short of calling a colleague at another organization that has recently applied the same patch, vulnerability remediation practitioners have no data or insight about the potential disruptiveness of a given patch. An emerging technology, however, is challenging this long-held status quo in the vulnerability remediation community. The reality for any patch – for just about any OS or application – is that someone else has applied it, somewhere, on some network, in some organization. Indeed, it’s likely that many “someones” have applied the patch, and they either experienced an issue, or more often than not, the patch was applied without incident. In a nutshell, trackd is collecting that patching experience data across its entire customer base, anonymizing it, and presenting it to all its platform users. Thus, a trackd platform user in California with Company Y now has the benefit of the patching experience of a trackd user in Maine with Company Z…and vice versa. This collective experience grows as the number of platform users grows, so vulnerability remediation professionals can now see disruption data alongside traditional vulnerability metrics, providing the insight needed to make data-informed decisions on how to address individual patches.
Does More Aggressive Automated Patching Solve the IT Resources Shortage?
By itself? Of course not. But any security or IT function that can be automated reduces the burden on the IT department, and in the case of vulnerability remediation, has a direct impact on the cyber risk of the organization. Whether it be the result of an economic downturn and corporate belt-tightening or the ongoing challenge of finding quality technology staff, being able to confidently leverage auto-patching to reduce vulnerability remediation times can contribute to the “do more with less” requirement of modern IT operations that doesn’t seem to be abating any time soon.
