When it comes to security, there are two disciplines that every organization should follow: producing secure code and practicing good cyber hygiene. As the developer produces code, it’s imperative to catch security weaknesses right away to avoid dealing with them downstream. For cyber hygiene, patch management will continue to be the most important proactive measure that organizations can take to protect their technology. Shift-left and shift-right principles are well understood and discussed within application security; we should extend them to device management as well.
Here’s why: Unpatched vulnerabilities remain one of the most common points of infiltration in today’s cyberattacks, whether an exploit results in a data breach or the successful delivery of ransomware. Security incidents caused by unpatched vulnerabilities will continue to increase due to the rapid shift to the cloud required to support the everywhere workplace the pandemic produced — and patch management, which was complicated already, is only going to get much more difficult. To illustrate, a recent survey found that vulnerability patching continues to contend with resource challenges and business reliability concerns, with 62% of respondents saying that patching often takes a backseat to their other tasks, and 60% saying that patching causes workflow disruption to users.
Clearly, this won’t work in the long term. We’re now living in a perimeterless world where the attack surface and exposure radius has significantly expanded. That is further compounded by the fact that the speed of vulnerability weaponization has significantly increased. In today’s world, organizations must consider all areas of potential exposure — from APIs, to containers, to the cloud and all the devices that access the network from different locations. As you can imagine, there is no way to manually collect, discover, and analyze this type of data in the amount of time required to deploy a patch before an unpatched vulnerability is exploited. It’s just not humanly possible.
We have made progress, though, as I stated in my previous article [link back to the present-day risk-based patch management article]. Patch management has evolved to be at a place where it is based on risk. That’s good, but it won’t be sufficient as vulnerabilities evolve and IT infrastructure and devices continue to sprawl across networks. For this reason, the future of patch management will depend on automation — or hyperautomation, to be more exact. Organizations need to be proactive and predictive in real time, to be able to identify, understand, and respond to patterns at machine speed to keep up with the sophistication of threat actors. If there is a known vulnerability, a known exploit, and a known solution, security teams need to have the ability to apply a solution proactively and predictively with very little human intervention.
Today, everyone is talking about MLOps (machine learning operations), AIOps (artificial intelligence operations), and DataOps (data operatons). These practices will start to matter less as we head toward operational efficiency through hyperautomation. We should expect to see a convergence of exposure management and threat analysis, where organizations can manage exposures in a more automated way by using tools such as artificial intelligence and machine learning to vet threat intelligence at machine speed with very little human intervention. There will be a human-in-the loop component, where automation will do most of the work and analysis and the human will just be the final arbiter who takes the appropriate action based on the analysis that was provided.
Over the next five years, we will see the widespread use of hyperautomation in patch management. Next year will be a particularly good year to watch for innovation in automation, but 2023 to 2025 will be the period when the industry will transition from risk-based patch management to hyperautomation. The recent transition to risk-based patch management similarly occurred over a two- to three-year period between 2018 and 2020. Next will be automation, and we’re not too far off. By 2025, we should see more security controls written as code and embedded in the software, such as with policy as a code, security as a code, and dev as a code. We will similarly see patch as a code, exposure as a code, and vulnerability enumeration as a code. The phrase “as a code” will be the buzzword of the next decade. And as it becomes the buzz moving forward, the industry will see great progress in embedding automation into software itself.
The future of patch management will be focused on automation, especially automating the vulnerability scanning process. We must treat patch management like we do preventive healthcare. Monitoring the health of our enterprise IT environments will only continue to grow in complexity, just like monitoring the health of an entire human population during a pandemic, so it’s time to start thinking about tools like automation.