Risk Fix Is Not a Patch for a Modern Approach

LONDON, ENGLAND – FEBRUARY 01: A tailor makes a suit in the Henry Poole & Co. studio. … (+) Savile Row, February 1, 2011 in London, England. Henry Poole was founded in 1806 and is based in Mayfair on London’s famous Savile Row, the heart of English bespoke tailoring. The suits are measured, cut, fitted, sewn and finished by highly skilled tailors entirely by hand, with each suit taking over 60 hours to make. Many famous people have worn a Henry Poole suit, including Winston Churchill, Charles Dickens and Oscar Wilde. Henry Poole was awarded a Royal Warrant in 1869 after making the livery for Her Majesty Queen Victoria. Their livery department is still in operation today, making state livery, court dress, ceremonial uniforms and clothing for coachmen, footmen and chauffeurs, etc. (Photo: Dan Kitwood/Getty Images)

Getty photos

Patches cover holes. Just as yarn can patch a sock or knee pads can be used to patch a pair of worn-out jeans, software patches are so named because they fill the space created when software vulnerabilities appear. Because this space can be a hole through which attackers can try to exploit a company’s IT systems to inject malicious code, software patching has become a necessary part of systems maintenance.

Now that software updates are installed regularly (often to the point that they are scheduled to occur on a set date, like Patch Tuesday), we expect them to happen. System administrators, along with other IT operations staff, typically understand and implement updates and patches as they become available.

Let’s not mention CrowdStrike

But patching isn’t always a no-brainer. Sometimes a patch or other software device driver update can be pushed out too quickly before it’s been fully tested and approved. Sometimes the update might have the potential to cause a logical error in the system configuration file (oops, sorry, that’s a CrowdStrike incident), or sometimes the update is bona fide and PG-13 approved (so to speak) but hasn’t been ratified due to compatibility or some other external factor, such as its potential to break integration with another application.

In these scenarios, we are starting to understand the need for a more controlled and flexible IT risk mitigation solution. Cloud-based IT, security and compliance solutions provider Qualys wants us to evolve toward a more comprehensive remediation solution that goes beyond patching to help organizations further reduce risk.

This year, Qualys TruRisk Eliminate arrives, software that offers additional innovative methods for remediation when patching isn’t feasible. This approach uses what’s called “patchless patching,” which includes practices like targeted isolation and other mitigation strategies to create layers of protection.

What is Patchless Patching?

As mentioned above, patching without patching involves everything but the software patch, but in a way that effectively mitigates some or all (or, most importantly, just enough) of the risk needed to protect enterprise applications and data services from harm. In patching without patching, we can see the use of individually tuned software scripts or mitigation exercises that are applied to lock down IT assets so that they can continue to operate safely, reliably, and effectively.

“Five years ago, Qualys revolutionized the vulnerability management space with integrated patch management to help organizations streamline and accelerate threat remediation. Now, we’re taking it a step further with TruRisk Eliminate, offering organizations innovative ways to mitigate risk even when patching isn’t an option,” said Sumedh Thakar, president and CEO of Qualys. “With TruRisk Eliminate, we’re giving organizations peace of mind with powerful solutions that address their most pressing threats and ultimately reduce the risk to their operations. In today’s business world, IT teams need effective mechanisms to mitigate the risk of unpatched vulnerabilities while maintaining business operations.”

Thakar and the team agree that patch management remains the primary option for fixing vulnerabilities, but it’s not always the most feasible or only option. Addressing all vulnerabilities is becoming increasingly difficult due to the potential business disruption caused by patching (no need to rehash July 2024), the unavailability of patches for so-called zero-day events (when a vulnerability is known in the software but there’s no fix available yet), and the limitations of traditional patch management tools that rely solely on software agents.

“While patching is an essential part of vulnerability management to mitigate risk, there are use cases where it’s not possible or requires disruptions or downtime that can impact operations. In some cases, such as new exploits or zero-day vulnerabilities, a patch may not even be available,” said Melinda Marks, director of the cybersecurity practice at Enterprise Strategy Group. Marks is optimistic about this new version of Qualys as a means of expanding vulnerability management capabilities. She says it could be a way to help IT teams align with and support business operations.

Qualys TruRisk Eliminate equips security and IT teams with the tools to increase cybersecurity resilience by resolving critical vulnerabilities with or without a patch. The solution reduces friction in current processes, enabling CISOs and CIOs to reduce risk through patch management, configuration changes, mitigation, and targeted isolation.

Fixing multi-decision risk

As part of the TruRisk product portfolio, Mitigate implements advanced risk mitigation controls based on vendor recommendations, CISA, and the Qualys Threat Research Unit. It enables organizations to implement configuration changes using advanced scripts for Linux and Windows systems. TruRisk Isolate enables teams to quarantine risky assets to prevent security incidents from spreading throughout the network. With the integrated Qualys Qflow feature, Thakar and his team promise organizations the ability to save time and resources. This feature automates complex, decision-based risk remediation tasks, such as performing patching when patches are unavailable and removing high-risk assets from quarantine only after vulnerabilities are closed.

“Many of our customers have told us that patching isn’t always the right answer to a security vulnerability,” said Eran Livne, senior director of product management at Qualys. “Not all vulnerabilities can be fixed with a patch. For example, vulnerabilities in software that has reached its end of life cannot be fixed and require the software to be uninstalled. Sometimes the business risk of deploying a patch is too high, for example, remediation teams may be concerned about potential downtime or disruptions that could directly impact the business and its customers. Vendors often release workarounds to mitigate zero-day vulnerabilities days or even weeks before the actual patch is released.”

The average enterprise software (or consumer software) user may never be aware of ongoing patching processes, although most of us should already be familiar with the need to regularly update browsers like Chrome. If you’ve ever played on an XBox, you know how often your system requires a game update or the console itself to work. So patching will (for the foreseeable future) always be an option, but in an IT world of increasingly distributed computing resources connected (pun intended) by cloud computing frameworks and basic practices like containerization, patching is now being combined with patching without patching.

Well, you know what they say: seamless stitching at the right time saves the IT production line.