Treading Water: The Struggle Against Third-Party Vulnerabilities and How True Automation Can Help.

By Dan Richings – Senior Vice President, Global Presales, Solutions Engineering, and Support – Adaptiva

Using third-party software is unavoidable in today’s market. The competition and the break-neck pace that IT teams are asked to deliver lead organizations to make the easy choice instead of the right choice, exposing them to vulnerabilities.

A software vulnerability is blood in the water. And by the time you’ve noticed, the sharks are already closing in.

Operating systems are more secure than ever. Nonetheless, cybercriminals are finding a way through unpatched third-party Windows applications, leaving companies feeling like they are treading shark-infested waters with a needle and thread, trying to stitch their wounds.

Despite knowing the dangers, organizations still can’t manage to keep up. It’s costing them not only money and customers; it negatively impacts their reputations as well.

Too little too late

Perhaps it’s the bureaucracy, the pressure to release quicker, loosely defined governance processes, a communication breakdown, or a little bit of everything. Whatever it is, it’s usually avoidable. Sixty percent of data breaches happened through a vulnerability known to the organization that has not been patched. So what can we do differently? How can we ensure faster, more effective patching responses?

Increasing headcount seems appealing, but we know it won’t fix the problem and we don’t have the budget for it anyway. One thing is for sure, the consequences of an unsecure system can be life-threatening.

Scripps Health turned away patients after experiencing a serious ransomware attack in 2021, leaving core parts of its IT infrastructure offline. That same year, Waikato Hospital in New Zealand and the Irish health service had to reschedule life-saving surgeries due to their own vulnerabilities.

It’s gotten so bad that governments are passing legislation to encourage organizations to prioritize patching vulnerable software. The U.S. Department of Homeland Security now requires federal agencies and contractors to patch high vulnerabilities in 30 days, and critical vulnerabilities within just 15 days.

Although well-intentioned, mandating something be done is a lot easier than actually doing it – as developers can attest.

What can be done?

Why on earth is patching third-party applications so challenging? What gives? During my time at Adaptiva, I’ve heard a lot from enterprises about the challenges they face patching vulnerable third-party software. Here are the most common reasons I’m told.

Remote work and disjointed teams

Just a few years ago, work looked different. It was rare to be a remote employee, especially for IT. On-premise and on-call, everyone was where the work was being done. Where the action was. It’s different now. Regardless of your feelings toward remote work, I don’t think anyone was prepared for such a massive and quick shift.

Without tight protocols around the organization, teams are left with disjointed workflows. Vulnerability management typically is an IT security task but patching desktop computers might be the job of the desktop team, IT operations, or IT service management.

These disconnects can interrupt workflow, hinder effective communication, and cause even more friction and delays in the patching process.

Remote work also introduces new security threats, as employees prefer to use their own, at-home devices to access enterprise applications. Sure, we can try procuring, encrypting, and shipping laptops or hiding access behind VPNs. If an employee insists on using their own device who is to stop them, after all?

Poor or arduous change management

Let’s be clear – change management is critical to any enterprise. Poor change management can ruin the entire software development lifecycle. It can land you in a lot of trouble with auditors, too. But arduous change management, bureaucracy for bureaucracy’s sake, can be just as bad.

When there is an immediate threat to customer data, urgency is needed. There’s no time to wait around for the next release date and committee approvals. I once knew someone in the manufacturing industry who had to go through 42 (yes, 42) approvals before a change was ready to deploy into production.

Change management needs nuance and different tracks for different issues. Old policies need updating to adjust to the evolving threat landscape.

Overwhelmed employees

The backlog never ends. By the time a patched version of an application is developed, tested, and deployed it’s already outdated and replaced by another newer version with more patches. Hackers know how organizations prioritize work and they use it to their advantage by purposely exploiting low-priority, lightly used applications – flying under the radar.

Cyber threats require hypervigilance at all times. Exacerbated by the recent layoffs, inflation, and tightened budgets, organizations feel outmanned. So do their employees.

Patches aren’t perfect.

I wish it was as easy as pressing a button, but for most enterprises that just isn’t the case. The security concerns and compatibility tests associated with patching can take days, if not weeks, to complete.

The frequent release of patches can make it challenging for teams to determine which metadata applies to the patch they are trying to apply, further prolonging the deployment process. If and when the patch is finally deployed, it likely has to be reworked and redeployed.

It’s amazing that patching happens at all. As cyber criminals are working around the clock and software is getting increasingly complex, these issues are likely to only get bigger.

Even if the third-party issues the patch, there is no promise that it’s secure, or that it doesn’t introduce even more problems. Remember the SolarWinds hack? Cybercriminals pushed code through a patch going to thousands of vendors.

The Fix: Autonomous Patching

Third-party application patching presents many challenges to IT teams. They don’t have to.

The manual processes required for patch management consume significant time and resources, making it difficult for IT teams to keep up with the ever-evolving threat landscape.

Thanks to artificial intelligence and machine learning, automation is faster, smoother, and more efficient and is enabling the era of autonomous management. According to a recent survey by Ponemon Institute, using automation to investigate and remediate vulnerabilities reduces the average cost of a breach by $450,000 a year, or 20 percent.

At Adaptiva, for example, we’ve created a user-focused platform that lets you simply define patching strategy across a massive library of third-party applications, and Adaptiva will autonomously patch your systems in real-time.  Everything from inventory, to identification, prioritization, deployment waves, and testing will all run autonomously. You’ll never have to patch a device again.

But regardless of the specific autonomous patch management solution that you choose, the bottom line is that you can move through the steps of patch management with little to no human intervention, even deploying multiple patches simultaneously. All of this in less time, which means teams get to spend more time on strategic, value-adding tasks. And as we look to the future, such tools will play an increasingly pivotal role in your overall IT security strategy.

About the Author

Dan Richings – Senior Vice President, Global Presales, Solutions Engineering, and Support – Adaptiva.

Based in the UK and with Adaptiva since 2015, Dan oversees the management of Adaptiva’s products and solutions and plays a key role in determining the product roadmap for the company and delivering on customer needs. Dan has a strong technical background in IT Systems Management across a career spanning numerous industry sectors including construction, design & consulting, software development and IT professional services.

Dan can be reached online at https://twitter.com/dan_richings

and at our company website https://adaptiva.com/