Rolling Vulnerability and Patch Management into Detection and Response

Written by

Among the predictions for the upcoming year that landed in our inbox here at Infosecurity, one of the most prominent was around vulnerabilities and patch management, and the potential for issues to be caused by the end of support for both Windows 7 and Windows 2008.

The issues around patching were further illustrated last week, with the first patch release of the year from Microsoft fixing a flaw relating to a CryptoAPI Spoofing Vulnerability, which was disclosed by the NSA to Microsoft.

Is 2020 set to be another troublesome year when it comes to vulnerabilities and the issues involved with fixing them? One company that has been prevalent in the vulnerability management space for many years is Qualys, and last week Infosecurity was invited to attend its customer conference in London. At the end of November, the company announced plans to release a new technology aimed at completing the cycle of asset inventory, vulnerability and patch management and response with its Vulnerability Management Detection and Response (VMDR), which is due to release at the end of February 2020.

Speaking at the conference, Prateek Bhajanka, Qualys’ VP of product management for VMDR, said that this will enable a “risk-based approach to vulnerability management.”

The company acknowledged the issues around vulnerability prioritization and deployment, with Bhajanka saying that the business believes in “solving the problem from the ground up” as companies are often overwhelmed with the number of vulnerabilities to be fixed. “They ask how they can identify those vulnerabilities that matter the most and may impact their organization,” he said.

This can also lead to issues where one patch will supersede another, and problems regarding whether the common vulnerability scoring system (CVSS) can be leveraged as a way to determine what to patch, as this can be a measure of severity, rather than risk.

This led to Qualys developing the VMDR, as Bhajanka said that another issue with vulnerability and patch management is how to discover new assets when they are added to the network, as well as having real time visibility into assets and their vulnerabilities. 

Qualys’ president and chief product officer, Sumedh Thakar, said that this product launch is about the “end-to-end cycle of discovering devices, detecting vulnerabilities, prioritizing patches and deploying the patches as well.” He explained that the reason for this is because the different stages are often done with multiple tools, so this is intended to reduce the time to patch.

So with organizations often facing consistent headaches due to vulnerability and patch management, is this the way to better enable IT to be less vulnerable and more protected? Thakar said it was, adding that the number of vulnerabilities and patches “have significantly increased” along with the number of devices, and people want a single solution.

“On your laptop, there is no reason why you wouldn’t want all of your apps patched as soon as possible; you don’t want to have to wait for someone in IT to push the button as it can take days, weeks or months, and you stay vulnerable for a lot longer,” he said. “That is why our customers say that they want to reduce the level of exposure by reducing the time that the system remains unpatched.”

In conclusion, Thakar said that patches are invariably delayed due to vulnerability management being caught between siloed teams, and this has led users to say that they “want to eliminate the risk sooner,” and they don’t want critical vulnerabilities “and can you just fix everything.” 

Thakar noted the influence of Endpoint Detection and Response (EDR) as an example of how endpoint vendors were able to add the two other functions of detection and response into their offering, and if this will enable companies to better spot and manage potentially vulnerable assets, and fix them sooner, we could be in for a more secure new decade. 

What’s hot on Infosecurity Magazine?