Cybersecurity as a Quilt: Why Patches Are Key to a Strong Defense

LastPass Labs is the content hub for the Threat Intelligence, Mitigation and Escalations (TIME) team at LastPass. Our focus is in-depth analysis of the latest security developments, a keen eye toward forward-looking tech, and unique threat perspectives.  Cybersecurity is a necessity for all businesses, from the largest multinational corporations to single-person start-ups. While some companies are fortunate enough to have large budgets dedicated solely to cybersecurity, others must prioritize efforts with limited resources to maximize returns.  In addition to establishing strong controls around emails, including scanning for and blocking malicious messages, along with employee awareness and training to lower the risk from social engineering attacks, vulnerability management is a critical pillar of a basic cybersecurity program and provides an immediate return on investment. Successful exploitations of vulnerabilities are one of the top causes of cyber incidents – in its 2023 M-Trends report, Mandiant noted 36% of its investigations into intrusions included the exploitation of a vulnerability. Understanding your technology infrastructure and what devices you have as part of your network via asset management is recognized as a key pillar in several cybersecurity frameworks, including the National Institute of Standards and Technology (NIST) cybersecurity framework. Knowing your technology inventory enables your companies – regardless of size – to quickly understand if they are impacted by new vulnerabilities and take the right steps to patch them. You can’t protect what you don’t know you have. The value of identifying the presence of vulnerabilities within your environment and patching them as quickly as possible can’t be overstated.  According to the Rapid7 2022 Vulnerability Intelligence Report, more than half of the vulnerabilities studied were exploited within seven days of their public disclosure, representing a 12% increase from 2021 and an 87% increase from 2020. While most people associate vulnerabilities with major software providers, the reliance on open-source software further complicates the vulnerability threat environment. According to an OpenUK study, 90% of companies use open-source software, increasing the potential supply chain security risks beyond the standard concerns around operating systems and/or proprietary software. Further, Gartner predicts 45% of organizations worldwide will experience an attack on their software supply chain by 2025. The widespread nature of open-source software usage creates dependencies that can be difficult to identify if they are not closely tracked. For example, even a year after its initial disclosure and despite being among the most commonly exploited vulnerabilities of 2022, the Apache Log4j vulnerability (CVE-2021-44228) was still found in 5% of the codebases audited by Snyopsys according to their 2023 Open-Source Security and Risk Analysis Report. Finally, the increase in working from home and bring your own device (BYOD) programs has extended the potential attack surface for most companies well beyond the traditional boundaries of a company infrastructure, forcing businesses to consider potential vulnerabilities outside their direct control.  Strong patching policies and employee education and communications are key to helping harden the wider boundaries of a company’s environment. 

What steps can be taken?

• Establish vulnerability and patch management policies and procedures that align with both business priorities and industry best practices.  Having clear policies that dictate how to respond to new vulnerabilities makes remediation faster and easier. 
• When possible, invest in tools that allow for automated detection of assets and the vulnerabilities and/or issues that may impact them. 
• Develop a robust asset inventory of not only the proprietary software within your environment, but also understand the open-source dependencies that may exist within your applications. Leveraging software bills of material (SBOMs) can help identify what open-source components may be critical to your operations and allow you to act quickly should a new vulnerability arise. 
• Whenever possible, allowing auto-updates to software can help address vulnerabilities as quickly as possible. If testing is required to ensure the update will not disrupt operations, conduct the testing as quickly as possible. 
• The number of vulnerabilities released annually can be daunting, with over 25,000 vulnerabilities published in 2022. Prioritizing patching those vulnerabilities by both their severity and the presence of active exploitation by threat actors.  To assist in this, the United States Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of known exploited vulnerabilities and updates this list regularly (the catalog can be found here). The list is free and available to the public and can serve as a key resource in helping to prioritize patching based on real-world threats.  Also, the Forum of Incident Response and Security Teams (FIRST) has produced an Exploit Prediction Scoring System (EPSS) that can also help prioritize remediation based on the likelihood of exploitation.
• The development of a custom prioritization methodology can also greatly assist in responding quickly and appropriately to new vulnerabilities.  This model would be dependent upon a mix of external elements, such as a vulnerability’s CVSS score and evidence of active exploitation, as well as internal elements such as whether or not the impacted assets are critical and/or externally facing.  
• Establish clear policies for updating BYOD devices and communicate those expectations to employees. Highlight new vulnerabilities that may affect these devices (including cell phones or home computers) to employees so that they can patch them promptly. 

While maintaining a vulnerability management program can seem daunting, taking these steps can help ensure a threat-based approach to prioritizing your efforts, even with limited resources.  This risk-based approach can allow companies to maximize the returns on their investments along the Pareto principle, in which 80% of the benefits of a vulnerability management program can be achieved with the first 20% of the effort.  The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team is focused on protecting our community by monitoring for, analyzing, and mitigating threats targeting our customers, our company, and our industry. The team has nearly 50 total years of intelligence and cyber experience and firmly believe in information sharing and relationship building as the key to a successful intelligence program. Our goal within LastPass is to provide timely and actionable intelligence to stakeholders that allow our security teams to protect our customers, their data, and the company. In addition to conducting analysis and informing our security teams on developments in the larger cyber threat environment, we are also working to automate our intelligence inputs into our partners’ processes and minimize the timeframe from threat awareness to mitigation.