Patch or perish: How organizations can master vulnerability management

• 06 February, 2025
• No Comments

Don’t wait for a costly breach to provide a painful reminder of the importance of timely software patching

Vulnerability exploitation has long been a popular tactic for threat actors. But it’s becoming increasingly so – a fact that should alarm every network defender. Observed cases of vulnerability exploitation resulting in data breaches surged three-fold annually in 2023, according to one estimate. And attacks targeting security loopholes remain one of the top three ways threat actors start ransomware attacks.

As the number of CVEs continues to hit new record highs, organizations are struggling to cope. They need a more consistent, automated and risk-based approach to mitigating vulnerability-related threats.

Bug overload

Software vulnerabilities are inevitable. As long as humans create computer code, human error will creep in to the process, resulting in the bugs that bad actors have become so expert at exploiting. Yet doing so at speed and scale opens a door to not just ransomware and data theft, but sophisticated state-aligned espionage operations, destructive attacks and more.

Unfortunately, the number of CVEs being published each year is stubbornly high, thanks to several factors:

• New software development and continuous integration lead to increased complexity and frequent updates, expanding potential entry points for attackers and sometimes introducing new vulnerabilities. At the same time, companies adopt new tools that often rely on third-party components, open-source libraries and other dependencies that may contain undiscovered vulnerabilities.
• Speed is often prioritized over security, meaning software is being developed without adequate code checks. This allows bugs to creep into production code – sometimes coming from the open source components used by developers.
• Ethical researchers are upping their efforts, thanks in part to a proliferation of bug bounty programs run by organizations as diverse as the Pentagon and Meta. These are responsibly disclosed and patched by the vendors in question, but if customers don’t apply these patches, they’ll be exposed to exploits
• Commercial spyware vendors operate in a legal grey area, selling malware and exploits for their clients – often autocratic governments – to spy on their enemies. The UK’s National Cyber Security Centre (NCSC) estimates that the commercial “cyber-intrusion sector” doubles every ten years
• The cybercrime supply chain is increasingly professionalized, with initial access brokers (IABs) focusing exclusively on breaching victim organizations – often via vulnerability exploitation. One report from 2023 recorded a 45% increase in IABs on cybercrime forums, and a doubling of dark web IAB ads in 2022 versus the previous 12 months

What types of vulnerability are making waves?

The story of the vulnerability landscape is one of both change and continuity. Many of the usual suspects appear in MITRE’s top 25 list of the most common and dangerous software flaws seen between June 2023 and June 2024. They include commonly-seen vulnerability categories like cross-site scripting, SQL injection, use after free, out-of-bounds read, code injection and cross-site request forgery (CSRF). These should be familiar to most cyber-defenders, and may therefore require less effort to mitigate, either through improved hardening/protection of systems and/or enhanced DevSecOps practices.

However, other trends are perhaps even more concerning. The US Cybersecurity and Infrastructure Security Agency (CISA) claims in its list of 2023 Top Routinely Exploited Vulnerabilities that a majority of these flaws were initially exploited as a zero-day. This means, at the time of exploitation, there were no patches available, and organizations have to rely on other mechanisms to keep them safe or to minimize the impact. Elsewhere, bugs with low complexity and which require little or no user interaction are also often favored. An example is the zero-click exploits offered by commercial spyware vendors to deploy their malware.

Another trend is of targeting perimeter-based products with vulnerability exploitation. The National Cyber Security Centre (NCSC) has warned of an uptick in such attacks, often involving zero-day exploits targeting file transfer applications, firewalls, VPNs and mobile device management (MDM) offerings. It says:

“Attackers have realised that the majority of perimeter-exposed products aren’t ‘secure by design’, and so vulnerabilities can be found far more easily than in popular client software. Furthermore, these products typically don’t have decent logging (or can be easily forensically investigated), making perfect footholds in a network where every client device is likely to be running high-end detective capabilities.”

Making things worse

As if that weren’t enough to concern network defenders, their efforts are complicated further by:

• The sheer speed of vulnerability exploitation. Google Cloud research estimates an average time-to-exploit of just five days in 2023, down from a previous figure of 32 days
• The complexity of today’s enterprise IT and OT/IoT systems, which span hybrid and multi-cloud environments with often-siloed legacy technology
• Poor quality vendor patches and confusing communications, which leads defenders to duplicate effort and means they’re often unable to effectively gauge their risk exposure
• A NIST NVD backlog which has left many organizations without a critical source of up-to-date information on the latest CVEs

According to a Verizon analysis of CISA’s Known Exploited Vulnerabilities (KEV) catalog:

• At 30 days 85% of vulnerabilities went unremediated
• At 55 days, 50% of vulnerabilities went unremediated
• At 60 days 47% of vulnerabilities went unremediated

Time to patch

The truth is that there are simply too many CVEs published each month, across too many systems, for enterprise IT and security teams to patch them all. The focus should therefore be on prioritizing effectively according to risk appetite and severity. Consider the following features for any vulnerability and patch management solution:

• Automated scanning of enterprise environments for known CVEs
• Vulnerability prioritization based on severity
• Detailed reporting to identify vulnerable software and assets, relevant CVEs and patches etc
• Flexibility to select specific assets for patching according to enterprise needs
• Automated or manual patching options

For zero-day threats, consider advanced threat detection which automatically unpacks and scans possible exploits, executing in a cloud-based sandbox to check whether it’s malicious or not. Machine learning algorithms can be applied to the code to identify novel threats with a high degree of accuracy in minutes, automatically blocking them and providing a status of each sample.

Other tactics could include microsegmentation of networks, zero trust network access, network monitoring (for unusual behavior), and strong cybersecurity awareness programs.

As threat actors adopt AI tools of their own in ever-greater numbers, it will become easier for them to scan for vulnerable assets that are exposed to internet-facing attacks. In time, they may even be able to use GenAI to help find zero-day vulnerabilities. The best defense is to stay informed and keep a regular dialog going with your trusted security partners.