How MSSPs Can Support Risk-Based Patch Management

Ayesha Prakash

The growing interest in managed security service providers (MSSPs) presents ample opportunity. But as I noted in March, providers must understand the cybersecurity challenges their customers face to succeed under an MSSP model. From an outsider’s perspective, understanding how to help customers navigate an ever-changing cyber threat landscape can feel like a daunting task. So today, let’s just focus on one area where customers are in continuous need of support: patch management.

BlueKeep: The Next EternalBlue?

In light of concerns over the BlueKeep vulnerability and two similar remote desktop protocol (RDP) vulnerabilities disclosed on Aug. 13, it’s more important than ever for MSSPs to recognize the critical importance of empowering customers with the tools they need to make effective patching decisions. BlueKeep (CVE-2019-0708) is a flaw in the Windows RDP protocol used by admins for remote administration. Many security researchers worry BlueKeep has the potential to echo the havoc wrought by a Microsoft SMB vulnerability targeted by the EternalBlue exploit.

EternalBlue was used in the large-scale WannaCry and NotPetya cyberattacks in 2017. A patch for the vulnerability exploited by WannaCry (CVE-2017-0144) was made available by Microsoft in March 2017, giving users nearly two months to install it before WannaCry made global headlines in May. And yet, WannaCry had an unprecedented impact, infecting roughly 200,000 computers across 150 countries and causing up to $4 billion in estimated damages. But EternalBlue didn’t make its biggest impact until six weeks later, when it was used in the NotPetya cyberattacks, which resulted in more than $10 billion in damages, leading some to call it the most devastating cyberattack of all time.

In their immediate aftermath, WannaCry and NotPetya sparked earnest conversations about patching frequency and the need for enterprise IT leaders to push cybersecurity as a more critical issue on the boardroom agenda.

But two years later, it seems this hard-earned lesson has been forgotten by many. Two days after the two-year anniversary of WannaCry, Microsoft patched the BlueKeep vulnerability and even issued a follow-up reminder two weeks later, emphasizing the potential impact of failing to patch the vulnerability. Despite these warnings, companies have been markedly slow to patch BlueKeep, and the release of a commercial exploit to the customers of a U.S.-based security assessment and penetration-testing company last month reignited concerns that it may only be a matter of time before an exploit becomes widely available to cybercriminals.

Why High-Risk Vulnerabilities Go Unpatched

Based on the scenario I’ve laid out, you may be perplexed as to why so companies are failing to patch BlueKeep. However, we must acknowledge the inherent challenges and complexities associated with patch management. Administering security patches is a time- and resource-intensive process that requires rigorous compatibility testing before fixes are distributed enterprisewide. But with hundreds of Common Vulnerabilities and Exposures (CVE) numbers assigned in a typical month, IT security teams are forced to prioritize which vulnerabilities are most critical to their businesses, and test and apply those patches first. A critical vulnerability to one company could just as easily be …