While a robust set of security technologies undoubtedly plays an important role in every organization's risk management strategy, implementing an intelligent and timely patching approach remains one of the primary ways organizations can protect their networks from attackers. Patching vulnerabilities addresses known security vulnerabilities and prevents malicious actors from exploiting potential vulnerabilities to gain unauthorized access to company data or disrupt operations.
However, it's easy to get overwhelmed considering how often software and app developers release patch updates. Teams often struggle with which updates to implement, when, and in what order they should be applied.
But what if you were able to reliably ** the patch plan? While there's no silver bullet, some of the latest threat insights can be used to help guide your strategy and better protect your organization.
Patching is key
Even with a patch management strategy in place, many organizations still find it difficult to patch vulnerabilities as soon as they are discovered, and hackers are quick to exploit the situation. When deciding which vulnerabilities to patch first and secure your systems, it's crucial to have a solid plan in place.
At the same time, practitioners can take advantage of protections such as virtual patching – adding a layer of security to analyze incoming traffic for malicious activity – while waiting for the actual patch to be applied. While each platform should be taken into account when making a priority list, this can only help determine which open vulnerabilities are most likely to be exploited soon. The good news is that you can use other tools to prioritize your patching efforts.
Learn about the "red zone".
Many variables, such as an organization's vulnerability management practices and advances in attacker tools, affect the relationship between the common vulnerabilities and exposures (CVEs) present on the endpoint and the CVEs that attackers are actually targeting.
To help security practitioners better prioritize patching efforts, the Fortiguard Labs team introduced the concept of "red zones" in previous threat landscape reports. The red area is an estimate of the CVE data observed on the endpoint compared to the CVE that was actively attacked. We introduced the Red Zone to help security practitioners understand the likelihood (or likelihood) that a threat actor will exploit a particular vulnerability.
For example, in our latest Threat Landscape Report, we conducted this analysis and determined that in the first half of 2023, only 83% fall into the "red zone". While that number still represents a significant number of vulnerabilities for security practitioners to address, understanding the red zones can help teams identify patching efforts that should be their highest priority.
Use EPSS to prioritize your work
Using the Exploit Scoring System (EPSS) can be a vulnerability that requires your attention to a large extent. EPSS is an open, data-driven project for determining the likelihood of attackers using software vulnerabilities in the wild. By using existing CVSS scores, the project is designed to help cyber defenders better prioritize vulnerability mitigation actions.
EPSS uses current threat information from the CVE database as well as data from real-world vulnerabilities. The probability scores generated by EPSS range from 0 to 1 (0% to 100%). The higher the score, the more likely the vulnerability is to be exploited in the next 30 days.
For example, on May 31, 2023, the MoveIt Transfer web application was disclosed to contain a zero-day SQL injection vulnerability that could allow an unauthenticated attacker to modify or delete data in the database engine. Security experts have flagged this vulnerability as a concern. After the CVE is released, the likelihood of EPSS ** being exploited in the next 30 days is very high.
Not surprisingly, cybercriminals were quick to take action. Just five days after the vulnerability was discovered, our Fortiguard lab sensors detected an attacker's exploitation of the MoveIT vulnerability. In this case, EPSS provides third-party confirmation for our analysts' ** and helps us stay ahead of the curve and communicate about evolving threats.
Although vulnerability management teams use EPSS to help prioritize remediation efforts, they can also use it to help intelligence efforts to monitor vulnerabilities from initial disclosure to compromise. Incorporate EPSS data into your vulnerability management strategy as an early warning system.
Define your patching priorities
Patching is a critical task on every security professional's already long to-do list. To streamline processes while keeping the organization secure, teams should leverage tools such as Red Zone Analytics and EPSS. These products provide a valuable picture of where organizations should focus their attack surface and prioritize patching efforts, saving practitioners time and effort (and many situations that fall down the CVE rabbit hole).