Virtual Patching vs. Vendor Patching: Which is Best for Securing Databases?


Today, 99%Opens a new window of organizations worldwide use one or more SaaS solutions. But can organizations entirely rely on vendors to keep their applications secure from vulnerability exploitations? Research indicates the practice of vendor patching isn’t an efficient one, leaving businesses highly vulnerable to diverse threats. Here’s a look at why virtual patching could be the answer.

The age-old practice of vendor patching ensures that organizations routinely patch cloud-based applications by implementing security updates issued by software vendors. This ensures that applications are kept secure from vulnerability exploitations and various cyber threats, giving their users the time and space to focus on productivity maximization.

However, the patch management process suffers from various drawbacks that increase organizations’ exposure to opportunistic hackers. Malicious actors can routinely exploit unpatched or vulnerable software or applications to steal sensitive data, access intellectual property, plant second-stage malware, or disrupt operations. 

The Problem With Vendor Patching

A report from Aberdeen Strategy & Research (here referred to as Aberdeen) highlights the fallout of a poor and unregulated patch management process. Both organizations and software vendors are responsible for creating flaws in the process. These flaws can emerge at any stage of the patch management cycle, be it the discovery of a vulnerability, when a patch is made available by the vendor, or when the organization implements the patch.

Aberdeen found that out of 22,000 vulnerabilities discovered in 2020, vendors failed to issue patches for roughly 20% (4,600) by the year-end. Of the 13,000 remotely exploitable vulnerabilities, 3,900 did not get a vendor patch. Alarmingly, of the 6,500 vulnerabilities whose exploits were publicly available, roughly 40% (2,000) had no vendor patch. 

Aberdeen also found that the availability of vendor patches frequently lags Zero-Day vulnerability disclosures, so much so that only 70% of vendor-provided patches, fixes, or workarounds were available at or near Zero-Day, and the figure touched 88% after 90 days. There is, thus, a considerable delay on the part of vendors in issuing patches.

The issues don’t end here. Even when vendors issue vulnerability patches, organizations struggle to implement them in time, thereby extending their exposure to exploitations. According to Aberdeen, as patching requires time, technical resources, and potential disruption of normal business activities, about 20% of vulnerabilities remain unpatched by organizations more than 90 days after Zero-Day. All these delays destroy the usefulness of a patch management process.

“In addition to the volume and frequency of vulnerabilities and exploits, the increasing sophistication of bad actors and the increasingly targeted nature of attacks amplifies the importance of time for an effective patch-oriented approach,” said Derek Brink, VP and research fellow at Aberdeen Strategy & Research.

The below figure from Aberdeen describes the state of the patch management process:

Source: Data adapted from multiple sources; Aberdeen, April 2021

In a research paperOpens a new window titled The Rise and Fall of the N-day Exploit Market in Cybercriminal Underground, Trend Micro stated that 2020 saw as many as 50 CVEs released every day, indicating the scale at which vulnerabilities were surfacing as organizations continued to deploy more and more applications. The company also found that it took the average organization up to 51 days to patch a new vulnerability.

“Criminals know that organizations are struggling to prioritize and patch promptly, and our research shows that patch delays are frequently taken advantage of,” said Mayra Rosario, senior threat researcher for Trend Micro. “The lifespan of a vulnerability or exploit does not depend on when a patch becomes available to stop it. In fact, older exploits are cheaper and therefore may be more popular with criminals shopping in underground forums. Virtual patching remains the best way to mitigate the risks of known and unknown threats to your organization.”

See More: Endpoint Security: Why Organizations Need to Move Beyond Signature-based Detection

Vendor patching is prohibitively costly

One of the significant reasons virtual patching has gained ground over the years is the considerable time it takes for organizations, especially enterprises, to implement vendor patches. An enterprise-scale organization told Aberdeen that when it came to upgrading databases, it took 17 to 21 total hours per instance to implement each minor release and 26 to 31 total hours per instance to implement each major release. 75% of the time required to implement database patches is contributed by database administrators and 25% by infrastructure/application specialists.

The average enterprise invests between 27,800 and 35,300 (median: 32,000) hours in a year to implement database patches and between 39,800 and 43,100 (median: 42,000) hours to implement database upgrades. In terms of cost, database patches and database upgrades cost $1.76M and $2.43M on average, respectively. The immense time and cost investments render vendor patching a costly exercise.

“In total, the fully-loaded cost of technical staff for implementing vendor patches and upgrades in this scenario ranges from about $2.5M to nearly $5M (median: $4.2M) per year — and consumes the time of 33 to 38 (median: 36) full-time equivalent people,” said Brink. “Most likely, your organization can think of several higher-value activities for these people to be doing!”

However, the above figures do not consider the additional impact of lost revenue and/or lost user productivity when enterprise databases and applications are disrupted as part of the patching and upgrade process. Another factor to keep in mind is that the unavailability of a vendor patch increases exposure to exploits, and successful exploitation could increase the likelihood of a significant business impact.

Virtual patching reduces the cost of patching significantly

In contrast, virtual patching significantly reduces all these costs. If an organization relies on virtual patching, it avoids lost revenue and lost user productivity when enterprise databases and applications are disrupted. Virtual patching also effectively closes the window of vulnerability for enterprise databases and applications to be compromised.

Here’s a closer look at the practice of virtual patching and what it offers to businesses:

Enter Virtual Patching

Virtual patching is increasingly being hyped as a robust alternative to vendor patching, enabling organizations to fix application vulnerabilities and limit their exposure to exploits quickly. Also known as external patching or vulnerability shielding, virtual patching helps users defeat exploitation attempts by protecting against both known and unknown vulnerabilities, including zero-day exploits, at all times.

According to Aberdeen, virtual patching refers to establishing a policy enforcement point external to the resource being protected and designed to identify and intercept exploits of vulnerabilities before they reach their target. It provides an effective compensating control when vendor patches are not available, reduces the need for emergency patches or workarounds, requires fewer policy enforcement points, and gives organizations the flexibility to implement vendor patches on the schedule of their choice — or mitigates the need to implement vendor patches at all.

Below are some real-world scenarios where organizations can implement virtual patching to keep their databases, applications, and servers secure from external threats:

Scenario Examples
Vendor patches may not be available § There is often a significant lag time between the public disclosure of a vulnerability, and the availability of a vendor patch — and some vulnerabilities are never patched

§ Third-party application vendors need to test and certify database security updates with their own applications before enterprises can deploy them

Vendor patching may not be possible or practical § Even if new vulnerabilities are discovered, vendors no longer provide patches for older, out of support systems

§ Vendor patches may not be available for OEM systems (e.g., where license agreements may prohibit modifications to the underlying platform), or for outsourced code

Vendor patching is costly, time-consuming, and inconvenient § The patching process itself — i.e., assessing, prioritizing, testing, and implementing — is costly and time-consuming, particularly when database restarts are required

§ The opportunity cost of downtime or system outages — e.g., lost end-user productivity, deferred or lost revenue, and the cost of database administrators and other technical staff — provides an incentive to defer vendor patching

Vendor patching does not support up-to-date visibility into what’s currently happening in your environment § Attempts to exploit a patched vulnerability will fail, but no alert will be raised — allowing attackers the ongoing opportunity to make more attempts

§ Similarly, no alerts are raised for other suspicious or unwanted database activity (e.g., access to default accounts, use of evasion techniques, or access of file systems from databases)

Source: Aberdeen, April 2021

Aside from saving costs and the valuable time of critical IT staff, a virtual patching solution should also be robust enough to perform its primary function- preventing the exploitation of known, unknown, and zero-day vulnerabilities by malicious actors. Trend Micro suggests that an excellent virtual patching solution should be multilayered. “This includes capabilities that inspect and block malicious activity from business-critical traffic; detect and prevent intrusions; thwart attacks on web-facing applications; and adaptably deploy on physical, virtual, or cloud environments,” the company says.

See More: How Enterprises Can Secure Endpoints With Extended and Managed Detection and Response

Combining virtual patching with EDR or MDR solutions

According to Brink, between 80% to 90% of malware is unknown. Threat actors have moved aggressively towards more sophisticated approaches such as polymorphic malware and file-less attacks. “This is why signature-based threat detection approaches are no longer enough to reduce the likelihood of a compromise to an acceptable level,” he says.

This is where Managed Detection and Response (MDR) comes in. Today, most MDR and EDR (Endpoint Detection and Response) solutions offer a couple of critical security capabilities that improve an organization’s security posture. The first is Preemptive Virtual Patching which ensures automated patching of vulnerable devices and software to eliminate possibilities of delayed patching or human error. Combining virtual patching with signature-based detection, device discovery, and pre-emptive device posture reduces the likelihood of endpoint infection to just 3.7%.

Brink adds that another robust EDR/MDR feature is dynamic endpoint detection and response, which packs post-execution capabilities like stopping processes, blocking or deleting files, and remotely isolating or shutting down affected devices. It also helps apply dynamic analysis to monitor files and fileless behaviors– how they are formed, accessed, and executed. 

When combined with virtual patching, signature-based detection, device discovery, and pre-emptive device posture, dynamic EDR reduced the likelihood of endpoint infection to just 0.4% on average. This represents a reduction of 95% compared to EDR solutions based only on the traditional signature-based detection, says Brink. 

In conclusion: An Advice for CISOs

Virtual patching is a robust breach-prevention practice that enables organizations to protect their databases and applications without investing considerable time, effort, and money in patching every vulnerability individually. However, it is just one of the many practices CISOs should adopt to keep their environments secure from exploitation attempts. 

Jonny Milliken, manager of the research team at Alert Logic, says that there are two critical steps in security: knowing your assets and knowing what threats exist. If you are not aware of both things, it’s almost impossible to respond or mitigate effectively. Therefore, the best mitigation against these threats is good knowledge and investment in cybersecurity as a priority.  

“Once you know both of these things, the response is fairly textbook – patch as soon as possible. If that’s not possible, consider removing the host from the internet until you can. If virtual patching is available, that can be an effective tool. Leaving an unauthenticated remote code execution vulnerability open to the internet and unpatched is inviting trouble.”

Martin Jartelius, CSO at Outpost24, also says that if a company’s app features a critical flaw that would take six months to resolve and poses a high risk, the CISO should look at workarounds, including virtual patching, adding protection layers, etc., to mitigate the exploitability. If none are possible, then it shouldn’t go out. 

“Most organizations should have a risk management process, and that process should include a policy of the risk appetite. The CISO should ensure that the CEO agrees and buy into the risk appetite, because at the end of the day, the CEO owns the risk and delegates execution to the CISO,” he adds.

Does your organization still rely on vendor patching to keep hackers at bay? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!