Axonius recently hosted The Great Debate, a 10-part webinar series debating the merits and pitfalls of some of the hottest topics in cybersecurity today. This post recaps the key takeaways from the second episode, where our guest speakers argued the pros and cons of prioritizing patch and vulnerability management.
Read on to find out whether patch and vulnerability management should be the No.1 cybersecurity initiative for IT and security professionals in 2021.
Patch and vulnerability management are two separate but closely related functions. These functions may be supported by the same people, but often have different processes and technologies associated with them. In this episode of The Great Debate, both patch and vulnerability management functions were combined as one priority.
Patch management is the process of updating software, operating systems, and applications for assets. The purpose of a patch management program is to highlight, classify, and prioritize any missing patches for assets. Patch management addresses more than just security vulnerabilities. Issues impacting functionality, performance, availability, or support can also mean that patches are necessary. Finally, patches can be applied manually or programmatically.
Vulnerability management is the process of finding, assessing, remediating, and mitigating security weaknesses for known assets. Vulnerabilities are anything that could be exploited in operating systems, platforms, firmware, applications and software, and devices. Vulnerability assessment, the process of identifying vulnerabilities, is often used interchangeably with vulnerability management. But it’s actually a component of vulnerability management. The tools and processes used for vulnerability management will also detail remediation instructions and advice for known vulnerabilities when available.
Corey White, chief executive and experience officer at Cyvatar.ai, argued that patch and vulnerability management are imperative to identifying the low hanging fruit — like finding what’s not patched, and what open ports and vulnerabilities you have. In the past, this used to be a hard task because cybersecurity professionals didn’t have the proper tools.
Today, there are tools available to automate the whole process, White said. He advised security teams to leverage those tools to enhance their patch and vulnerability management efforts.
Brian Romansky, chief innovation officer at Owl Cyber Defense, argued that security teams should recognize that software-based systems are inherently fragile and vulnerable, and that exploits will exist and persist against software. Software patching is just part of a vicious cycle. It only protects against the known threats and shouldn’t be a top priority for effective cybersecurity.
Cybersecurity professionals should instead focus on network segmentation and hardware-based security controls that can't be commandeered by an attacker, Romansky said. This is how modern nation states protect critical defense and intelligence assets, and it’s becoming easier and practical for commercial networks to apply the same level of protection.
41 Madison Avenue, 37th Floor
New York, NY 10010
