Maintaining a robust security posture requires focusing on the basics such as multi-factor authentication (MFA), least privilege, zero trust, and early detection. However, when it comes to patching vulnerabilities, organizations often find themselves facing increasing complexity. With a wide range of products from different vendors in their IT environment, patching can be a challenging task that can sometimes do more harm than good.
Realistically, installing every software update as soon as it becomes available is not feasible. Industry and cybersecurity authorities suggest committing to an approximate 14-day patch window for internet-facing devices. “I think the days of trying to patch everything have kind of gone because it’s just so vast, and often so complex to do it,” says Hinchcliffe. “I don’t think it’s doable.”
Instead, organizations should prioritize patches that are most relevant to their specific environments. The combination of threat intelligence and news reports on dangerous vulnerabilities can provide a good starting point for identifying potential risks.
In the past, security vendors would blame individuals for not patching and insist on patching everything. However, it is unreasonable to expect large organizations to patch everything. For internet-facing systems that are constantly scanned and potentially targeted by known exploits, additional visibility and security measures should be implemented.
While there are various methods that attackers can use to breach companies, not all blame should be placed on the breached organization. However, the time taken to discover a breach is crucial. The longer it takes, the more it suggests that something went wrong with an organization’s security setup, and the Chief Information Security Officer (CISO) should be held accountable.
Although managing a modern security stack can be challenging due to resource constraints and complexity, experts agree that no sympathy should be given to organizations that have been breached for years. Regardless of the sophistication of the threat actor, a long-standing breach indicates that a radical overhaul of the security setup is urgently needed.