To Patch or Not to Patch? How to Manage your CVEs in the Real World

When you consider the cost of patching vulnerabilities, it begs the question: Is all this really necessary?

Turns out, it may not be.

At least, not in the way we’ve been used to doing it. With expertise in everything from MITRE ATT&CK to vulnerability exposure research, Fortra’s Tyler Reguly, Associate Director R&D, weighs in with what over two decades of experience has taught him about managing CVEs—for the real world.

To Patch or Not to Patch? That is the Problem.

A lot of companies will start out with a patch management program that covers everything, simply because it has been promoted as the “right thing to do.”

Notes Reguly, “Organizations have gotten it into their head, due to poorly written standards and benchmarks, that they need to patch every vulnerability or that they need to patch the wrong vulnerabilities due to poorly selected metrics.”

Consequently, they’ll grab an entry-level cybersecurity employee and put them on the job. Patching is fairly straightforward and constitutes busywork that needs to be done anyway. However, “Employees with limited experience in cybersecurity are going to have a difficult time understanding the risk associated with the vulnerabilities and will instead rely on the FUD [fear, uncertainty, and doubt] presented by the world around them,” he notes.

This wastes time, spins cycles, and drains resources that could be used to go for the heavy-hitting threats. And, it drives up costs, giving CVE management a heftier price tag than it needs.

Risk vs. Severity: The Key CVE Differentiator

So, if patching all CVEs is not necessary, how do you determine which ones are worth your time? It all depends on the conversation.

“Risk is a difficult concept to understand, and we’ve represented risk in multiple ways over the years,” states Reguly. “While CVSS now explicitly states that it is not a measure of risk, I have heard hundreds, if not thousands, of individuals speak to risk instead of severity.”

This is a key fallacy, as CVEs will always present risk, but not all have the same level of severity (or real impact) on the organization. Prioritizing which need to be addressed swiftly and which can wait (or be overlooked entirely) is a matter of expertise, which is why who you hire matters.

Or, who you hire out to.

Internal vs. Outsourced CVE Management

The cost of CVE management can be dramatically affected by how you choose to go about staffing the job.

If you choose to go in-house, “It is important that the individuals involved in your vulnerability management program understand the environment,” Reguly says. This can greatly improve your efficacy in vulnerability management.

On the other hand, not all organizations have the luxury of having sufficient staff or sufficiently well-trained staff. For these occasions, hiring out to a capable MSSP that offers outsourced vulnerability management, along with CVE prioritization (like Fortra’s Patch Priority Index) and patch breakdowns (Fortra’s Patch Tuesday Analysis) can be a huge benefit and bring the program within range of even smaller companies.

And it doesn’t stop there.

Can Outsourcing CVE Management Save You Money?

The short answer is yes, and in more ways than one.

Outsourcing the management of your CVEs has proven financial merits. According to a recent industry report, organizations saved on average $2.1M partnering with an external provider to mitigate CVE-based risk. Midmarket entities saved the most at $2.13M with larger entities pocketing just under $2M.

Exploring the “Golden Image”

Part of the savings comes from implementing “golden image” programs that set up standardized, pre-configured blueprints for consistently deploying reliably safe environments. Per the same report, savings here total $400,000.

But before you jump in, there are some pros and cons to consider. First, how often are you updating your golden image? Many companies opt to do it yearly. But this could undercut organizations’ abilities to be agile with needed updates and changes, especially given the breakneck pace of evolving threats and technologies. Ultimately, Reguly asserts that it all comes down to security’s stake in the matter:

“I think the success of a golden image program depends on the implementation and whether it is an IT-only program or if cybersecurity is involved in the planning and maintenance.”

Cost Savings in Compliance

Another way third-party CVE management can cut costs is via compliance, where the report revealed an average savings of over a quarter-million dollars annually. In addition to straight savings, being fully compliant opens up new business opportunities in places that were once closed due to regulatory barriers.

The Trick to CVE Management: Sharing the Load with Other Solutions

“The reality is that there are too many vulnerabilities to chase every CVE that is identified during a scan,” Reguly insists. He suggests instead pairing security configuration management programs and asset management with vulnerability management to give organizations more holistic protection of their assets.

Not only does this ease the burden of endless CVE chasing, but it gives teams a chance to use their tools and understand their environment better, bringing an improved skillset to the table for a more sustainable approach. At the end of the day, “Consulting with external experts who can help you with prioritizing and understanding risk can be beneficial, but you cannot effectively manage the risk in an environment if you don’t understand the environment,” he concludes.

That’s why partnering with a great managed security services provider and acquiring the right solutions is the right approach, empowering in-house teams to handle CVEs smarter and with greater strategy.

And while that might mean not patching every single CVE, it does mean patching the ones that count.