Anthony (Tony) Sabaj is currently the Director of Channel Security Engineering for North America at Check Point, with over 25 years of experience in the Cyber/Information/Network security. Tony has been at Check Point since 2002 in a variety of sales and technical roles. Prior to joining Check Point, Tony was a Senior Product Manager at Telenisus, a startup MSSP/VAR in Chicago. In 2001 the MSSP business of Telenisus was sold to Verisign to start their MSSP business and the VAR business was sold to Forsythe to start their Security Practice. Tony joined Forsythe shortly after that acquisition as a Security Consultant and Certified Check Point trainer. Tony started his career with Arthur Andersen/Andersen Consulting, building their worldwide IP network, designing the security controls for the firm and helping build their external Security Consulting Practice.

In this outstanding expert interview, Check Point’s Head of Americas Channel SEs, Tony Sabaj, provides valuable insights into vulnerability and patch management trends. Leverage these tips within your organization to improve cyber security outcomes.

How are the trends that you are seeing around software updates/patch management assisting or hurting businesses?

Patch management has been top-of-mind since the era of client server computing. The significance of patch management has never been greater than it is today. Keeping software up-to-date through incremental patching provides access to new features, stability and better performance.  Although, none is more important or time sensitive than patching security vulnerabilities. A few trends assisting organizations in patch and vulnerability management are automation, SLAs, scheduled patching and Dev(Sec)Ops integration.

How should forward-looking CIOs, CTOs and CISOs advance their software update processes?

In general, a CIO is looking at patch management for stability and resiliency, a CTO is concerned with functionality and a CISO is focused on remediating security vulnerabilities. These desired outcomes can be at odds with each other. The C-suite needs to have coordinated policy in regards to patch management to balance stability, functionality and security.

A study conducted by the Ponemon Institute found that existing patches could have prevented 57% of cyber attacks. In that same study, 34% of respondents were aware of the security vulnerability prior to the attack.

In another study, conducted by Check Point Software, 75% of attacks used vulnerabilities disclosed more than four years ago and almost 20% used vulnerabilities greater than seven years-old. In fact, Cross Site Scripting (XSS) remains as one of the more exploited vulnerabilities; this particular technique has been in use for over 15 years.  Zero day threats, such as Log4j for example, can have catastrophic results. The Log4j flaw was exploited months before it was disclosed in late 2021 and very few security controls identified it before it was known. Once the vulnerability was remediated, organization around the world hurried to patch or put in place mitigating controls. Months after the patches were made available, 30% of internet facing Log4j instances remained unpatched and vulnerable.

All of this research shows us that maintaining a consistent and comprehensive patch management strategy, to not only mitigate zero day threats, but to inoculate against known and older vulnerabilities, is critical. Cyber criminals, with the exception of those conducting targeted attacks, will attempt to breach the easiest targets. Organizations vulnerable to older attacks with 1000’s of proven exploits are most at risk.

Are larger organizations at a disadvantage when it comes to software updates and patch management due to their complex or sometimes outdated infrastructure?

Larger organizations, by nature, will have more systems to account for. They will also have more resources with which to address the problems. With that said, the biggest challenge facing larger organizations is not the sheer number of systems, but the array of systems that increase the attack surface.  An organization will have traditional systems, servers and endpoints, but will also need to take into account cloud infrastructure, the number of platforms used, IoT and legacy systems. A small-to-medium size organization may mostly use the Windows platform for endpoints, servers and applications, requiring focus only on patching Windows products. As an organization grows, so does its attack surface, which may include Windows, Macs, iOS, Android, multiple flavors of Linux, closed systems, hundreds of applications (both commercial and open source), native cloud infrastructure and IoT devices. In 2021, Edgescan reported an “Increase in the occurrence of critical and high risk issues for larger organizations.”

One of the first challenges in larger organizations is to identify the assets that may be vulnerable. Scanning networks to find traditional systems is common, but how do you identify and catalog IoT devices, dynamic cloud infrastructure and roaming/remote endpoints? Non-traditional systems need to be address through IoT discovery, Cloud Security Posture Management and robust Unified Security and Endpoint Management. Far too often, organizations overlook the dynamic and hidden systems in their environment. They need to automate not only the discovery, but also the protection/patching of these numerous and dynamic systems.

Software updates/patch management are really just a single piece of the vulnerability management puzzle. Can you offer higher-level guidance around vulnerability management as a whole?

Patch management is a critical part of an overall vulnerability management strategy; it is not the complete picture. The first step is to identify not only the vulnerabilities, but also the attack surface in the organization. Missing or mis-identifying IoT, Cloud or Shadow IT environments can prove costly down the road. The next step is evaluating and prioritizing the vulnerabilities. Not all vulnerabilities are created equally. Vulnerabilities can be prioritized based on multiple variables, including severity (CVSS score), impact on the organization, and likelihood of exploit. The prioritization of the vulnerability is a function of these variables. For example, if a vulnerability has a CVSS score of 10 (critical), only exists on two systems that are not exposed outside the organization, and are not critical systems, it may have a lower priority than a vulnerability that has a CVSS score of 5, exists on 100’s of exposed systems and is key to the organization’s e-commerce platform. Thirdly, and most important, is remediation of the threats. In cases where patching known vulnerabilities is not possible for a variety of reasons, closed/regulated systems that cannot be patched, IoT, unmanaged devices or potential loss of service, just to name a few, virtual patching is an option. Virtual patching entails using security controls to prevent the exploitation of the vulnerability when patching the system is not feasible. Lastly, prevention and zero trust need to be at the forefront in any organization’s vulnerability management strategy.

What should executives know about the importance of software updates? How can business leadership and the board better support vulnerability management?

C-level executives need to build, budget and plan for software updates/patch management in their overall IT strategy. Organizations cannot wait for a problem or major vulnerability to appear before developing a plan for patch management. Organizations need to set mitigation SLAs based on the impact to the organization.

Vulnerability management also applies to the software supply chain, including vendor supplied patches and open source software. Organizations need to look at the track record of key IT vendors and response to security issues in their products. The use of open source software needs to be addressed with the same scrutiny as in-house developed systems.

Vulnerability management policies may also be required by industry and governmental regulation, compliance and cyber insurance policies. Patch/vulnerability management is not just a technology issue,  but also a financial and compliance concern.

Is there anything else that you would like to share with the CyberTalk.org audience?

Most organizations focus their patch/vulnerability management on traditional operating systems and applications. One of the most overlooked aspects of patch and vulnerability management concerns agile development, CI/CD, IaC, DevOps, DevSecOps, native cloud and containers. A robust vulnerability management program needs to address visibility into containers, Infrastructure as Code, formation scripts and native cloud solutions (functions, workloads).  These protections, applied to both the development and at runtime of these services, can greatly improve an organization’s vulnerability management and mitigation program by eliminating risk prior to application publishing or exposure. For further reading I highly recommend the “Guide to Enterprise Patch Management Planning: Preventative Maintenance for Technology” NIST Publication SP 800-40r4, here.

For more from CyberTalk.org that highlights Tony Sabaj’s expertise, click  here. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.