Maintaining systems and applications with current security patches is one of the most critical tasks facing IT professionals, yet it is often one of the most neglected due to the time-consuming and rote nature of the work. In a Verizon analysis of security incidents, researchers found that the typical organization patches less than half of its systems within four weeks of the discovery of a vulnerability. Even more concerning is that if a patch is not applied within the first four weeks of release, it is unlikely that it will ever be patched.
This situation leaves organizations vulnerable to both sophisticated attackers during the early days of a patch's release and run-of-the-mill attackers during later phases. While security professionals clearly recognize and evangelize on the importance of applying patches, the work simply isn't getting done. Security orchestration, automation and response (SOAR) programs have the potential to address this issue and dramatically improve the state of endpoint, server, device and application security within an organization.
Let's take a look at two key ways that automated patch management and vulnerability control programs benefit from the application of security automation and orchestration.
Monitor and update patch status automatically
While the idea of patching systems doesn't inspire enthusiasm in the minds of technologists, it is often the area of greatest potential for SOAR efforts. Monitoring and then applying automated patch management removes the mundane work of monitoring and applying patches manually and can dramatically reduce an organization's risk profile and decrease the likelihood of a successful attack.
Integrating your SOAR platform with your organization's configuration management system(s) can simplify the work involved with automated patch management. The configuration management system can monitor the current state of systems and identify deviations from the approved security baseline. When a missing patch is detected, the SOAR platform can trigger an automated remediation that attempts to patch the system and then follows up with an independent verification that the patch was successfully applied. The SOAR platform can flag for human intervention any unsuccessful attempts to patch systems, as well as systems that are excluded from automated patch management for operational reasons.
Manage and remediate vulnerabilities
Just as most organizations currently use a configuration management system to track patch status, most organizations also use a vulnerability management system to identify and track vulnerability scan results. These systems detect a wide variety of security issues, including missing patches, misconfigured encryption settings, flawed firewall rules, application security flaws and many other insecure states. However, this information is often locked away in a vulnerability scanning system that is the domain of cybersecurity professionals and not easily and consistently provided to the technologists with the knowledge and privileges to address the situation.
SOAR approaches can unlock this information and place it in the hands of the team members who can most directly take action to address the issue. Security orchestration and automation platforms may use the APIs that vulnerability scanning platforms provide to retrieve the results of vulnerability scans and trigger automated workflows based upon those results. For example, when the system detects a significant vulnerability, it can reach into the organization’s service ticketing system, create an incident and assign it to the responsible engineering team. It can then monitor the status of that ticket, triggering escalations as needed. Once the ticket is closed, the SOAR platform can trigger a new vulnerability scan to confirm that the remediation addressed the issue.
In both of these cases, SOAR platforms help liberate information that may be locked away in specialized systems and trigger an automated patch management response that either corrects the issue, in the case of missing security patches, or initiates a remediation workflow in the case of complex security vulnerabilities. Using orchestration and automation for patch management and vulnerability monitoring promises to address one of the most pressing cybersecurity issues facing the modern enterprise.