Most organizations are at risk of attack via exploitable vulnerabilities in unpatched systems and applications. However, appropriately managing these vulnerabilities through patch management is quickly becoming infeasible. Implementing a zero trust security strategy using a software defined perimeter (SDP) – also called zero-trust network access (ZTNA) – can enable an organization to manage its cybersecurity risk in a scalable and sustainable fashion.
Software Vulnerabilities are Continuing to Rise
The COVID-19 pandemic had a significant impact on vulnerability detection and reporting in early 2020. Organizations and security researchers focused on maintaining normal operations despite a sudden transition to remote work. As a result, reported vulnerabilities in the first part of 2020 were significantly lower than in 2019.
However, the rest of the year more than made up for the slow rate of vulnerability detections in the first part of the year. In addition to high-profile vulnerabilities like Zerologon, at least 23,269 new vulnerabilities were discovered and reported in 2020. This is less than 1% lower than 2019, indicating that 2020 vulnerabilities – when fully counted – are likely to exceed the previous year despite the COVID-19 pandemic.
Patch-Driven Vulnerability Management is Unsustainable
Vulnerabilities are flaws in software that can be corrected by applying a patch released by the vendor. While ideally all vulnerabilities would be detected and remediated pre-release, many slip through to production. While no organization will need to apply all 23,000+ patches released in 2020, applying even a small percentage to an organization’s systems creates a significant burden for a security team.
In addition to the sheer volume of patches released each year, organizations face other challenges as well that make it difficult to manage newly discovered vulnerabilities via patching, including:
- Incomplete Vulnerability Listings: The Common Vulnerabilities and Exposures (CVE) list is intended to be the master list of all discovered and publicly reported vulnerabilities. However, this list consistently fails to include all public vulnerabilities. In 2020, Risk-Based Security found that the CVE list was missing 29% of known vulnerabilities. This means that organizations relying on this list to determine which vulnerabilities require attention may overlook crucial vulnerabilities.
- Unreleased Patches: Patching a vulnerability is the best way to protect it against exploitation, but this approach only works if the vendor actually releases a patch. For nearly a quarter of vulnerabilities disclosed in 2020, no patch has been released by the vendor. These vulnerabilities are publicly known – meaning that cybercriminals can develop exploits for them – but security teams’ ability to close them is limited.
- Inadequate Patches: Vulnerability patches are intended to completely close a potential attack vector, making it impossible to exploit. However, this is not always the case. According to Google, 25% of all zero-day exploits in 2020 were variations of old attacks that took advantage of improperly designed and applied patches.
- Patch Surges: In 2020, 7% of all patches were released on the same three days by major vendors like Microsoft and Oracle. This means that security teams were overwhelmed on these days by the sheer volume of patches that they needed to test and apply. As they worked to catch up, cybercriminals could exploit unpatched systems with publicly known vulnerabilities.
- Lack of Vulnerability Visibility: Organizations often only have visibility into the application code written in-house; however, this is only the tip of the iceberg. The average application has many dependencies, and each of these can contain exploitable vulnerabilities. This makes it much more difficult for an organization to determine which applications require patching and to actually perform the required updates.
- Understaffed Security Teams: The cybersecurity industry is suffering from a significant skills gap, which makes it difficult for organizations to attract and retain the security talent that they require. As a result, understaffed security teams frequently need to choose between applying patches and protecting the organization’s network against active threats.
With massive numbers of new vulnerabilities reported each year (an average of 70 per day) and a number of additional challenges, attempting to manage vulnerabilities solely through patch management is an unsustainable plan. To minimize cybersecurity risk, organizations must limit the attack surface and exposure of potentially exploitable applications and systems.
Limiting Vulnerability Exploitability With Zero Trust
All organizations implement various levels of trust within their networks. A company won’t connect their database server directly to the public Internet for fear of having sensitive customer information exposed in a breach. Instead, this data is protected and only accessible via applications or by trusted systems within the network.
A zero-trust security strategy – implemented using SDP/ZTNA – can extend this same mentality to all of an organization’s assets. By limiting access to systems and applications based upon role-based access controls, an organization makes it much more difficult for a malicious actor to access them.
Zero trust and SDP also provide a more scalable solution to managing the risk associated with vulnerable systems. While a system protected by SDP may still be exploitable if the appropriate patch has not been applied, an attacker has a much more difficult time accessing the system to exploit it. Implementing zero trust security is essential to scalable vulnerability and cybersecurity risk management.