Why a strong patch management strategy is essential for reducing business risk

In this Help Net Security interview, Eran Livne, Senior Director of Product Management, Endpoint Remediation at Qualys and Thomas Scheffler, Security Operations Manager of Cintas Corporation, discuss their experiences with automated patch management.

Scheffler details how Cintas transitioned from manual processes to Qualys’ solution, significantly improving their patching efficiency. Livne explains the role of effective patch management in minimizing business risk and maintaining strong cybersecurity.

Can you speak to the importance of a good patch management strategy in reducing business risk?

Eran Livne: With almost every business connected to the internet in some way, cyber risk is business risk. To de-risk the business, you must be able to measure, communicate, and eliminate your cyber risk effectively and efficiently. A good patch management strategy is crucial because it reduces business risk by closing off pathways malicious actors can utilize to spread laterally into critical environments.

In 2023, a staggering 28,834 vulnerabilities were recorded, reflecting a significant 13% increase from the previous year. The sheer volume of these vulnerabilities makes it nearly impossible for organizations to address all of them. Therefore, prioritizing the most critical vulnerabilities is essential. An effective patch management strategy can enhance an organization’s security, streamline the security team’s efforts, lower cybersecurity insurance premiums, and enable security leaders to effectively quantify and communicate cyber risk to the board and senior executives.

How did you identify the need for an automated patch management solution at Cintas?

Thomas Scheffler: At Cintas, we faced a scaling challenge in securing a distributed network spanning 13 distribution centers and over 47,000 employees. Prior to Qualys, we were often overwhelmed with risk alerts and daily patching tasks coming from a plethora of disjointed security and IT asset management tools. Moreover, we lacked a reliable way to prioritize patching based on risk to the enterprise.

How does Qualys ensure its patch management solution remains effective against emerging threats?

Eran Livne: Qualys’ protection begins with a team of over 100 “white hat” experts who proactively identify and mitigate vulnerabilities, continually updating its vulnerability and remediation database. To ensure our patch management solution remains effective against emerging threats, we leverage this comprehensive database, implementing smart automation techniques to address new risks as soon as they are discovered, and use data-driven approaches to minimize operational risks during patch deployment.

Can you describe the initial challenges you faced with manual patching processes?

Thomas Scheffler: As mentioned, our biggest blind spot was an effective prioritization method. With Qualys we are not only able to better identify the most important vulnerabilities, but also fix them faster.

What are the key features of Qualys’ Patch Management solution that differentiate it from other products in the market?

Eran Livne: A key differentiator for Qualys Patch Management is that its core solution leverages both vulnerability data and threat intelligence data from over 25 sources. Additionally, the solution stands out with features like risk-based patching, support for multiple operating systems including Mac and Linux, and the ability to easily deploy patches for remote systems. This is crucial in today’s remote and hybrid working environment. The solution also integrates with Qualys’ Vulnerability Management, Detection, and Response (VMDR) for a unified approach to vulnerability management. Customers using Qualys for patch management typically see remediation times improve by 43%, patch rates increase by 93%, and tickets close 60% faster.

Can you tell us how Qualys’ patch management solution helped you achieve your goal of patching the most critical vulnerabilities within 24 hours?

Thomas Scheffler: With patch management natively built into the Qualys platform, we were able to reduce the mean time to remediate (MTTR) from two months all the way down to eight days. And by adding Qualys’ CyberSecurity Asset Management to Vulnerability Management Detection and Response (VMDR), we now have 100% coverage of our external attack surface and have seen a 300% increase in the visibility of internet facing assets.

How do you handle the deployment of patches across diverse IT environments and systems?

Eran Livne: Qualys targets assets intelligently and automates patching for applications with low operational risk. This frees up security teams to focus on more complicated remediation scenarios. We also provide a central dashboard for patching Windows, Linux, and Mac operating systems, and third-party apps so customers have visibility across their environments.

What has been the business impact of implementing Qualys’ patch management solution?

Thomas Scheffler: Qualys helped us make sense of our disjointed and ad hoc security compliance efforts that arose in part due to mergers and acquisitions, reducing our risk from cyberattacks. Now we are secure, aware and efficient.

What metrics do you use to measure the success of your patch management strategy?

Thomas Scheffler:

• 100% coverage of our external attack surface (including mergers, acquisitions, and subsidiaries)
• 300% increase in the visibility of internet-facing assets
• Reduced MTTR from two months to eight days for critical vulnerabilities

Can you explain how Qualys’ TruRisk and CyberSecurity Asset Management solutions complement the patch management process?

Eran Livne: Qualys’ TruRisk and CyberSecurity Asset Management solutions complement the patch management process by providing a real-time and accurate assessment of external attack surface risks, built-in passive sensing for IoT and rogue devices, and third-party API-based connectors to complement Qualys sensors. This unified approach consolidates asset discovery and introduces a lightweight vulnerability scanner to pinpoint critical vulnerabilities immediately upon discovery, making it easier to patch where needed, quickly and effectively.

Those interested in learning more about the critical aspects of patch management can register for the July 31 virtual thought leadership Cyber Risk Series on patching here.