As OneNeck's CISO, I lead the directive on patching frequency, and I'm often asked what goes into determining the timing of our patching schedule. When it comes to patching, we follow an every-30-day approach, and here's why...
Patching for vulnerabilities requires some risk analysis to understand and balance the cybersecurity risk and the business functionality risk. The risk analysis needs to consider the severity and impact of vulnerability being patched, as well as assessing for potential adverse/unintended impact to users and business applications or processes. Based on most vulnerabilities, 30 days allows for the balance of assessing the patches being released and proper business testing.
Additionally, statistics in annual breach reports identify that most vulnerability exploits happen due to devices not being patched for months/years (see chart here from Verizon 2021 Data Breach Report.)
However, for zero-day vulnerabilities, the severity/impact can be significant, and we would completely agree that >30 days is typically not sufficient. Frequently, a zero-day vulnerability has bad actors actively exploiting the vulnerability; therefore the cybersecurity risk is known to be high, the risk to the business functionality is recognized, and patching happens immediately.
OneNeck’s process for zero day vulnerabilities includes same-day notification to customers, <24 hours technical teams assess vendor provided workarounds or patches (if available), and our security teams assess the vulnerability for known exploits or other mitigating factors. If factors warrant immediate patching, OneNeck provides that recommendation to customers and schedules the Change Record based on the customer’s business approval.
At OneNeck, we highly recommend and work with our customers to take a Defense in Depth approach to cybersecurity. Defense in Depth refers to an approach in which a series of security mechanisms and controls are purposefully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within.
These security controls include vulnerability management, which defines the need to complete timely patching, but also needs to include heuristic anti-malware protection, responsive 24x7 security monitoring, boundary control, and access and identity management to name a few. With appropriate adoption of Defense in Depth, it is our perspective that then you can take the appropriate time to do the risk analysis for patching vulnerabilities balancing the cybersecurity risk and the business functionality risk.
Exceptions to the Rule
There are always exceptions, as noted above with zero-day vulnerabilities, a particular business critical device, or a device that Defense in Depth cannot be applied to, and in those situations, a more aggressive patch cycle should be considered. However, for good security hygiene, OneNeck aligns with global security frameworks such as the Center for Internet Security (CIS Controls), whose guidelines recommend performing operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
We're her to help.
Maintaining a hardened security posture can weigh on the most seasoned IT professional, but you don't have to go it alone. As a managed services provider, we've seen it all, and as a security services provider, we've helped many customers prevent, detect and respond to cyberthreats. So, let us know how we can help. We've got your back!