When it comes to security, there are two disciplines that any organization should follow: producing secure code and practicing good cyber hygiene. As the developer produces code, it is imperative to catch security vulnerabilities immediately to avoid dealing with them downstream. For cyber hygiene, patch management will continue to be the most important proactive measure that organizations can take to protect their technology. The Shift-Left and Shift-Right principles are well understood and discussed in application security; we should also extend them to unit administration.
Here’s why: Unsecured vulnerabilities remain one of the most common infiltration points in today’s cyber attacks, whether exploited results in a data breach or successful delivery of ransomware. Security incidents caused by unrecovered vulnerabilities will continue to increase due to the rapid shift to the cloud required to support the workplace everywhere the pandemic produced – and patch management, which was already complicated, will only become much more difficult. To illustrate this, a recent survey showed that vulnerability patching continues to struggle with resource challenges and business security concerns, with 62% of respondents saying that patching often goes back to their other tasks, and 60% saying that patching causes disruption to users’ workflows.
Clearly, this will not work in the long run. We now live in a perimeterless world where the attack surface and radius of exposure have expanded significantly. This is further exacerbated by the fact that the speed of vulnerability weapons has increased markedly. In today’s world, organizations need to consider all areas of potential exposure – from APIs to containers, to the cloud and all the devices that access the network from different locations. As you can imagine, there is no way to manually collect, detect, and analyze this type of data in the amount of time it takes to implement a patch before an unpatched vulnerability is exploited. It’s just not humanly possible.
However, we have made progress, as I said in my previous article [link back to the present-day risk-based patch management article]. Patch management has evolved to be a place where it is risk based. That’s fine, but it will not be enough as vulnerabilities evolve and IT infrastructure and devices continue to spread across networks. For this reason, the future of patch management will depend on automation – or hyperautomation, to be more precise. Organizations need to be proactive and predictable in real time to be able to identify, understand, and respond to machine-speed patterns to keep up with the sophistication of threat actors. If there is a known vulnerability, a known exploitation and a known solution, security teams must be able to apply a solution proactively and predictably with very little human intervention.
Today, everyone is talking about MLOps (machine learning operations), AIOps (artificial intelligence operations) and DataOps (data operations). These practices will begin to mean less as we move toward operational efficiency through hyperautomation. We should expect to see a convergence of exposure management and threat analysis, where organizations can manage exposures in a more automated way using tools such as artificial intelligence and machine learning to study threat intelligence at machine speed with very little human intervention. There will be a human-in-the-loop component where automation will do most of the work and analysis, and the human will simply be the final judge taking the appropriate action based on the analysis provided.
Over the next five years, we will see the widespread use of hyperautomation in patch management. Next year will be a particularly good year to keep an eye on innovation in automation, but 2023 to 2025 will be the period when the industry will go from risk-based patch management to hyper-automation. The recent transition to risk-based patch management took place similarly over a period of two to three years between 2018 and 2020. Next is automation, and we are not that far away. In 2025, we should see more security checks written as code and embedded in the software, such as with policy as a code, security as a code, and dev as a code. We will similarly see patch as a code, exposure as a code and vulnerability enumeration as a code. The phrase “like a code” will be the buzzword for the next decade. And as it buzzes in the future, the industry will see great progress in integrating automation into the software itself.
The future of patch management will be focused on automation, in particular the automation of the vulnerability scanning process. We need to address patch management as we do preventative health care. Monitoring the health of our company’s IT environments will only continue to grow in complexity, just as monitoring the health of an entire human population during a pandemic, so it’s time to start thinking about tools like automation.
Part 1 of this series is here; Part 2 is here.