• Over 25 years of experience in enterprise IT

and cybersecurity, across private, public,

and startup organizations.

• For the past 9 years, my focus has been on

endpoint management and security.
whoami > ashis das
• My focus lies in securing and supporting
LinkedIn endpoint devices, from thin clients to cloud
server endpoints, emphasizing proactive
vulnerability management through secure
configuration and effective patching
strategies.
 In today’s rapidly evolving cybersecurity
landscape, effective vulnerability
Vulnerability management is crucial for protecting your
organization’s assets.
Management
Patch This presentation will delve into the critical
Presentation role of patching as part of a vulnerability
management program.
 • Definition
Understanding • Common Sources
Vulnerabilities
• Impact of Vulnerabilities
Understanding Vulnerabilities > Definition
• Weakness in an information system that a threat actor can
leverage in a way that has security implications.
Understanding Vulnerabilities > Common Sources > Examples

Misconfigurations or
Outdated software Human error
implementation
• Bugs in OS or • Low Password • Reusing passwords
application complexity across systems
software • No encryption or • Phishing
• Code Logic weak encryption for • Social Engineering
• Poor software data at rest or data
design in flight
• Low LAN
Segmentation
Understanding Vulnerabilities > Impact of Vulnerabilities > Unpatched
Systems

Per CrowdStrike, 90% of successful cyberattacks originate at the endpoint.

Per a survey of 318 firms

80% of companies who had a data breach or failed an audit could have prevented it by patching or
doing system configuration updates.
20% of all vulnerabilities caused by unpatched software are classified as high risk or critical.
46% of companies took longer than 10 days to apply patches across their environment.
High profiles examples:
2016 – MemCache – Led to DDoS attacks.
2021 – Log4J, 10% of systems.
2022 – Exchange Server 40 million people in UK personal
data leaked.
Understanding Vulnerabilities > Impact of Vulnerabilities > Unpatched
Systems

Old disclosed vulnerabilities on unpatched systems are often the target of

cyberattacks.
• Most of the common vulnerabilities targeted every year were publicly disclosed
during the previous years.

Reasons:
• The number of exploited
vulnerabilities is constantly
increasing.
• A lack of time and resource to
patch the ever-increasing number
of endpoints in an enterprise.
Components • Asset Inventory
of • People
Vulnerability • Remediation and Mitigation
• Risk Assessment
Management
Components of Vulnerability Management >
Asset Inventory
All IT and cybersecurity
frameworks, standards,
guidelines, always mention of
having a proper asset
Inventory as part of their
recommendations.

“You can’t protect

what you don’t know
about.”
Components of Vulnerability Management >
Asset Inventory > Digital
Traditional Hardware
• User endpoints
• Smart Mobile Devices, Laptops,
Desktops
• Server endpoints
• On-premise (Dedicated and
Hypervisors)
• Cloud (BareMetal and
Hypervisors)
• Appliances (Turnkey specialized
servers)
Components of Vulnerability Management >
Asset Inventory > Digital
Non-Traditional Hardware
• Industrial Control Systems (ICS)
• Operational Technology (OT)
• Printers
• Digital Signage
• Gaming
• Household Appliances
• Network Infrastructure*
• Switches
• Routers
• Firewalls
• Gateways
• VPN Concentrators
• Load Balancers
• Proxies * Document all your private and public IP addresses
Components of Vulnerability Management >
Asset Inventory > Digital
Software
• Operating Systems
• Desktops - Windows, macOS, LINUX
• Mobile - Android, iOS, iPadOS, LINUX
• Server - LINUX, Windows, UNIX, Mid Range, Main Frame
• Server Services/Applications
• Authentication/Authorization – Active Directory, Azure Entra, DUO, Okta
• Web Services - IIS, Apache, JAVA Servlet, web components
• Collaboration - Exchange, Lotus Notes, SharePoint, Teams, Zoom, WebEx
• Storage – File, Block, Object
• Database - SQL and Non-SQL
• Shared Libraries/Components - Proprietary, Open Source, SBOM
• Application Programming Interfaces (API)
Components of Vulnerability Management >
Asset Inventory > Digital
• Cloud Services (XaaS)
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
• Serverless Computing
• Storage as a Service (STaaS)
• Database as a Service (DBaaS)
• Network as a Service (NaaS)
• Artificial Intelligence (AI) and Machine Learning (ML) as a Service
• Security as a Service (SECaaS)
• Backup and Disaster Recovery Services ((BaaS)
Components of Vulnerability Management >
Asset Inventory > Location
• Home
• Coffee Shop
• Offices (Head Quarters, Regional Offices and
Branches)
• Data Center / Co-Location
• Cloud
• Stores, Warehouses, and Factories
• Field
• Land
• Water
• Air Connectivity and Bandwidth become very important when
• Space trying to Patch the digital assets in different types of
locations.
Components of Vulnerability Management >
Asset Inventory > CMDB
Hopefully in your organization, your digital:
• Hardware
• Software
• Cloud
assets are being tracked in a Configuration
Management Data Base (CMDB) and CMDB is up to
date, as assets are added and removed.
Components of Vulnerability Management >
Asset Inventory > Digital

Knowing what comprises your digital landscape,

where they exist in your enterprise, how they are
interconnected together, the criticality ranking of
those assets to your organization, will help you
better protect the information behind them.
Layers 2 to 7
• Applications
• Operating System Services
• Network Stack
Layer 8
• People (Stakeholders)

Layers 2 to 7
• Applications
• Operating System
Services
• Network Stack
Components of Vulnerability Management >
People (Stakeholders)
Platform
End Users IT Ops Sec Ops
Admins
• Blue Collar • Desktop • Help Desk • GRC
• White Collar • Server • Data Center • Risk
• Managers • Applications • Cloud Management
• Executives • File Services • Incident
• Contractors • Databases Response
• Network • Threat Intel
• Developers • Analyst

“8th Layer of the OSI Model are the People (Stakeholders)

Components of Vulnerability Management >
Overview
Change Management System (ITAM/ITOM)

Collect Data

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle

Make
Recommendations
Components of Vulnerability Management >
Risk Assessment > Collect Data
Collect Data
Collect Data from internal or
external sources to determine the
vulnerabilities that exists on
assets via scanning.

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle

Make
Recommendations
Components of Vulnerability Management >
Risk Assessment > Analyze Data
Collect Data
Collect Data from internal or
external sources to determine
the vulnerabilities that exists on
assets via scanning.

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle
Analyze collected scan data as
Make well as security related data
Recommendations from other sources. Use
Culling and Ranking to
prioritize what you want to fix.
Components of Vulnerability Management >
Risk Assessment > Analyze Data
Internal Sources
• Quantitative Asset Risk Ranking
• Qualitative Asset Risk Ranking
External Sources
• NIST – Common Vulnerabilities Exposures (CVE) Data,
CVE Details.
• Common Vulnerability Scoring Systems (CVSS) 1-10
• CISA Known Exploitable Vulnerabilities (KEV)
• Proprietary scoring from VM Vendors
• Tenable - Vulnerability Priority Rating (0 to 40)
• Qualys - Qualys Detection Score (1 to 100)
• Rapid7 - Active Risk Score (0 to 1000)
• Exploit Database - https://www.exploit-db.com/
• Metasploit Database - https://docs.rapid7.com
• Threat Intelligence Feeds (OpenIOC, STIX, CybOX, and
YARA)
Components of Vulnerability Management >
Analyze Data

Initial
CVE List Cull CVSS < 5 or KEV

Culled Rank by exploitability (CVSS

CVE List
or KEV)
Combined Sort by asset critically
with Asset List
with exploitable
vulnerabilities and by
total vulnerability
severity
Components of Vulnerability Management >
Make Recommendations
Collect Data from internal or external
sources to determine the vulnerabilities
that exists on assets via scanning
Collect Data

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle
Analyze collected scanned data as
well as security related data from other
Make
sources. Use Culling and Ranking to
Recommendations
prioritize what you want to fix.
Recommendations will usually be
patching or remediations/mitigation.
Components of Vulnerability Management >
Make Recommendations
1) - Patching – Apply Updates to resolve bugs or address
vulnerabilities on assets.
2) – Remediation/Mitigation - Reactive
• Logical
• Application based
Make • Host based (System settings)
Recommendations
• Network based (FW, IPS, Quarantine, Isolated Network)
• Temporarily or permanently remove asset
Recommendations will • Physical (Off-Network, block ports (USB, Camera))
usually be patching and
remediation/mitigation.
3) Systemic Measures – Proactive (e.g., CIS Controls,
OWASP Top 10)
4) Accept the Risk – aka Risk Acceptance
Components of Vulnerability Management >
Implement Recommendations
Collect Data from internal or external
sources to determine the vulnerabilities
that exists on assets via scanning.
Collect Data

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle
Implement patching and Analyze collected scanned data as well
remediation/mitigation as security related data from other
Make
with stakeholders. sources. Use Culling and Ranking to
Recommendations
prioritize what you want to fix.
Recommendation actions will usually be
patching and remediation/mitigation.
Components of Vulnerability Management >
Review Findings
Collect Data from internal or external
Review Findings from
sources to determine the vulnerabilities that
implementation via exist on them via scanning.
Dashboards or Reports Collect Data

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle
Implement patching and Analyze collected data as well as
remediation/mitigation with security related data from other
system and application Make
sources. Use Culling and Ranking to
owners. Recommendations
prioritize what you want to fix.

Recommendation actions will usually

be patching or remediation/mitigation.
Components of Vulnerability Management >
Start Again
Collect Data from internal or external
Vulnerability Management sources to determine the vulnerabilities
Lifecycle begins again. that exist on them via scanning
Collect Data

Implement Vulnerability
Management Analyze Data
Recommendations
Lifecycle
Implement patching and Analyze collected data as well as
remediation/mitigation. with security related data from other
stakeholders. Make
sources. Use Culling and Ranking to
Recommendations
prioritize what you want to fix.
Recommendation actions will usually be
patching and remediation/mitigation.
Components of Vulnerability Management >
Lifecycle Starts Again

Security Team Typically performs

vulnerability scans
Vulnerability Findings

IT Team Typically performs

patching and remediation/
mitigation
Components of Vulnerability Management >
Risk Assessment
Change Management System (ITAM/ITOM)

Collect Data
Identify critical assets

Vulnerability
Management
Implement Lifecycle Analyze Data
Recommendations
Implement controls RISK ASSESSMENT Identify & rank risks

Make
Recommendations
Identify controls
Role of
• Definition of Patching
Patching in • Types of Patches
Vulnerability • Importance of Patching
Management
Role of Patching in Vulnerability Management > Definition of
Patching

• Applying patch updates to resolve bugs and address

vulnerabilities.
• Bugs are flaws in code logic or poor software design
• Vulnerabilities are weaknesses in an information
system that a threat actor can leverage in a way that
has security implications.
 Role of Patching in Vulnerability Management > Types of Patches

SECURITY PATCHES FEATURE UPDATES BUG FIXES

 Role of Patching in Vulnerability Management > Types of Patches

Microsoft
• Critical Update: A fix for a critical, non-security-related issue that affects system functionality.
• Security Update: Addresses vulnerabilities in Microsoft products and is rated by severity (Critical,
Important, Moderate, or Low).
• Definition Update: Updates to definition databases, such as those used for detecting malware or
phishing websites.
• Driver Update: Updates for software that controls hardware devices.
• Feature Pack: Introduces new functionality outside of a product's regular release cycle.
• Service Pack: A cumulative set of updates, including hotfixes, security updates, and additional fixes.
• Update Rollup: A collection of updates packaged together for easier deployment.
• Monthly Rollup: A cumulative set of updates released monthly, targeting specific areas like security or
product components.
 Role of Patching in Vulnerability Management > Types of Patches

LINUX – varies by distribution

• Security Updates: These patches address vulnerabilities that could compromise
the system's security. They are often rated by severity (Critical, Important,
Moderate, or Low).
• Bug Fixes: These patches resolve issues in the software that affect functionality
or performance.
• Feature Updates: Introduce new features or enhancements to the system.
• Kernel Updates: Specific patches for the Linux kernel, which is the core of the
operating system.
• Performance Improvements: Optimize system performance by addressing
inefficiencies.
• Compatibility Updates: Ensure compatibility with new hardware or software
 Role of Patching in Vulnerability Management > Types of Patches

Apple
• Security Updates: These address vulnerabilities in Apple software and are critical for protecting
devices from potential threats.
• Rapid Security Responses: Introduced to quickly address specific security issues without
waiting for a full software update.
• Feature Updates: These introduce new features or enhancements to Apple devices, often
included in major iOS, macOS, or other OS updates.
• Bug Fixes: Resolve issues that affect the functionality or performance of Apple software.
• Compatibility Updates: Ensure compatibility with new hardware, software, or third-party
applications.
 Role of Patching in Vulnerability Management > Importance of Patching

• Timely patching acts as a proactive shield, reducing the likelihood of incidents and the
potential impact they could have on your organization. It’s like locking your doors and
windows before someone tries to break in!
• Fixes Security Vulnerabilities: Patches often address known vulnerabilities in software or systems. By
applying them promptly, you reduce the window of opportunity for attackers to exploit those
weaknesses.
• Prevents Exploits: Cybercriminals frequently target unpatched systems because they know the
vulnerabilities are publicly documented. Timely patching ensures you're ahead of their attempts.
• Protects Sensitive Data: Many attacks aim to access or compromise sensitive data. Patching helps
safeguard against breaches that could lead to data theft or loss. Maintains System Integrity: Unpatched
systems can be exploited to install malware or disrupt operations. Timely updates help maintain the
stability and reliability of your systems.
• Compliance: Many industries have regulations requiring up-to-date systems. Regular patching helps
you stay compliant and avoid penalties.
• Reduces Costs: The cost of a breach, both financial and reputational, can far outweigh the effort of
applying patches in a timely manner
 • Patch Discovery
Patching • Testing
Process • Deployment
• Verification
Patching Process > Overview

Change Management System (ITAM/ITOM)

Patch Discovery

Patch
Verification Management Testing
Lifecycle

Deployment
Patching Process > Patch Discovery

How the patches are identified.

Patch Discovery Patch scan process or via
advisories.

Patch
Verification Management Testing
Lifecycle

Deployment
Patching Process > Patch Discovery

How the patches are identified.

Patch Discovery Patch scan process or via advisories.

Patch
Verification Management Testing
Lifecycle
Ensuring patches do not
disrupt operations. Utilize
Deployment deployment rings (Dev >
Test > UAT > Prod).
Patching Process > Deployment

How the patches are identified.

Patch Discovery Patch scan process or via advisories.

Patch
Verification Management Testing
Lifecycle
Ensuring patches do not disrupt
operations. Utilize deployment
Deployment rings (Dev > Test > UAT > Prod).

Methods and tools for deploying patches. Identify

patches to be deployed based on type classification and
 Patching Process > Verification

How the patches are identified.

Patch Discovery Patch scan process or via advisories.

Patch
Verification Management Testing
Lifecycle
Confirm patches have been Ensuring patches do not disrupt
applied successfully via patch operations. Utilize deployment rings
and/or vulnerability tool Deployment (Dev > Test > UAT > Prod).
dashboard and reporting.
Methods and tools for deploying patches. Identify patches to be
deployed based on type classification and compatibility.
 Patching Process > Verification

Patch Management Lifecycle begins How the patches are identified.

again. Based on vendor patch Patch Discovery Patch scan process or via advisories.
release cycle.

Patch
Verification Management Testing
Lifecycle
Confirm patches have been applied Ensuring patches do not disrupt
successfully via patch and/or operations. Utilize deployment rings
vulnerability tool dashboard and Deployment (Dev > Test > UAT > Prod).
reporting.

Methods and tools for deploying patches. Identify patches to be

deployed based on type classification and compatibility.
 • Regular Schedule
Best • Prioritization
Practices for • Automation Tooling
Patching • Backup Plans
• Communication
Best Practices for Patching > Regular Schedule

• Use Maintenance Windows to schedule patching during non-critical

hours.
• Ensure that other IT processes (real-time or scheduled) do not conflict
with patching process
• Application maintenance
• Application development
• System and Application Backups
• Vulnerability Management scans
• Other Security tools
• Anti-Virus (AV)
• Endpoint Detection Response (EDR)
• Host Intrusion Prevention (HIPS)
Best Practices for Patching > Prioritization
• Focus on critical systems and high-risk vulnerabilities (CVSS, KEV)
• Authentication/Authorization infrastructure
• Storage infrastructure
• Communications (e.g., email, chat, collab)
• Key Business Applications (e.g., CRM, ERP, HR, ITOM, ITAM)
• Risks based on quantitative findings from vulnerability scans or qualitative
based other criteria (e.g., application/service importance, C-Level executive or
admin systems, developers)
Best Practices for Patching > Automation Tools
• Use patching tool(s) from a vendor that:
• Supports devices, systems, applications, and cloud platforms you are using.
• Has automation and dashboard/reporting capabilities
• Scan for patches needed
• Download of patches
• Apply patches on an ad-hoc or scheduled basis
• Validation that patch has been deployed
• Validate that device, system, application and cloud services are working
• Integrates with external systems
• Email, Storage, Reporting, SIEM, ITAM, ITOM, SOC Tools, Agentic AI
Best Practices for Patching > Backup Plans

• Ensure systems, devices, applications, cloud services, can be

restored, if a patch causes issues. May require:
• An uninstallation patch script or process, which is the best
option.
• A system or application restoration.
• A system or application rebuild.
• A need to fail-over to another system, device, application
cluster or cloud region.
Best Practices for Patching > Communications

• Keeping stakeholders informed about patch status

• As part of cybersecurity awareness training, enforce the
importance and benefit to the organization of regular
patching of the organizations systems.
• Communicate on a regular basis of the scheduled patch
cycle, so they are aware of the potential unavailability of
organizational systems.
 • Resource Limitations
Challenges
• Compatibility Issues
and • Downtime
Solutions • Compliance
Challenges and Solutions > Resource
Limitations
• Ensure that systems you are patching have enough resources to run
patching process and are turned on.
• Network bandwidth to pull patches down.
• Disk space availability to store patches after they been downloaded.
• CPU and Memory availability to run patching process.
• Managing patches with limited IT staff
• Use automated vulnerability and patch management tools, when possible.
• Reduce the variety of device types, operating systems, applications, you have
to support.
• Outsource your vulnerability and patch management to a Managed Security
Service Provider (MSSP).
Challenges and Solutions > Compatibility
Issues
• Software Conflicts: Patches may conflict with existing software, causing
functionality issues or crashes.
• Hardware Incompatibility: Some patches might not be compatible with
older hardware, leading to performance degradation or failure.
• Application Dependencies: Certain applications may rely on outdated
components that are affected by the patch, disrupting their operation.
• Operating System Version: Patches designed for specific OS versions may
not work correctly on others, especially if the system is outdated.
• Driver Issues: Updates can sometimes interfere with device drivers, causing
hardware malfunctions.
• Configuration Changes: Patches may alter system configurations, leading
to unexpected behavior or reduced performance.
• Network Dependencies: Systems with networked components may
experience disruptions if patches affect communication protocols.
Challenges and Solutions > Downtime >
Minimizing system downtime during patching
• Plan and Prioritize: Identify critical systems and prioritize patches based on their
urgency and impact. Schedule non-critical updates during off-peak hours.
• Use Live Patching: For systems that support it, live patching allows updates to be
applied without requiring a reboot, reducing downtime significantly.
• Test Patches in a Staging Environment: Before deploying patches to production,
test them in a controlled environment to identify potential issues.
• Automate Patch Management: Use tools to automate the patching process,
ensuring consistency and reducing manual errors.
• Implement Redundancy: Use failover systems or load balancing to maintain
service availability while patching individual components.
• Communicate with Stakeholders: Inform users and stakeholders about scheduled
maintenance to manage expectations and minimize disruptions.
• Optimize Scheduling: Align patching schedules with periods of low activity to
reduce the impact on operations.
Challenges and Solutions > Compliance >
Meeting regulatory and industry standards
• NIST (National Institute of Standards and Technology): NIST's guidelines, such as SP 800-40
Rev. 4, highlight the importance of enterprise patch management as part of preventive
maintenance.
• PCI DSS (Payment Card Industry Data Security Standard): Requires organizations handling
payment card data to apply security patches promptly to protect against vulnerabilities.
• HIPAA (Health Insurance Portability and Accountability Act): Mandates that healthcare
organizations implement security measures, including timely patching, to safeguard patient data.
• ISO/IEC 27001: This international standard for information security management systems includes
requirements for vulnerability management, which involves patching.
• SOX (Sarbanes-Oxley Act): While primarily focused on financial reporting, SOX compliance often
involves IT controls, including patch management, to ensure data integrity.
• GDPR (General Data Protection Regulation): Requires organizations to protect personal data,
which includes addressing vulnerabilities through patching.
• CMMC (Cybersecurity Maturity Model Certification): Used by the U.S. Department of Defense, it
includes requirements for vulnerability management and patching.
 • Patch Management Software
Tools and • Vendors
• Trends
Technologies • Deployment Models
• Place in cybersecurity ecosystem
Tools and Technologies > Patch Management
Software From:
• Hardware, OS, Application or Cloud Vendor
• Third-Party Vendors
• Atera • JAMF*
• Automox* • Kaseya
• Avast • ManageEngine*
• BigFix* • Microsoft*
• BMC Software • N-able*
• Broadcom • NinjaOne
• Canonical • OpenText BigFix

• Cocobolo Group • Quest

• ConnectWise* • SecPod
• Flexera • SolarWinds
• GFI Software • SysWard GIGAOM RADAR 11-19-2024
• Heimdal • Syxsense
• ITarian • Tanium*
• Ivanti* • Tenable
*Ones I have used
Tools and Technologies > Patch Management
Software > Trends
• Tighter patch integration between Vulnerability Detection and
Remediation
• Vulnerability Software integration with Patching software
• Vulnerability Software adding Patching capability
• Patching Software adding Vulnerability detection
• Vulnerability and Patch Management are going thru rebranding
• Vulnerability Management > Exposure Management
• End Point Management (EPM) > Unified Endpoint Management (UEM) >
Autonomous End Point Management (AEM)
• Generative AI - being used for predictive analysis of patching
Tools and Technologies > Patch Management
Software > Deployment Models
• On-premises
• Cloud - Software as a Service (SaaS)
• Hybrid (on-premises and cloud)
• Self-Managed or Co-Managed (MSSP)
Tools and Technologies > Integration with
Other Security Solutions
• How patch management fits into broader security models and
ecosystems.
 Conclusion

RECAP OF KEY CALL TO ACTION Q&A SESSION

POINTS
Conclusion > Recap of Key Points
Vulnerability Management is one of the many security tools you
have that are crucial for protecting your organization’s assets.
This presentation looked into the critical role that patching plays as
part of a vulnerability management program.
Conclusion > Call to Action
• Get your asset inventory under control and updated and
identify criticality to your business.
• Implement or refine your patch management processes as
part of your vulnerability management program.
Conclusion > Q&A