Home |
Resources |

Mastering “Unpatchable” Assets in a Zero Trust World

  • Article
  • 5 min read

share:

The cybersecurity landscape today? It’s a battlefield, and the “unpatchable” asset is that elusive enemy you can’t quite pin down. Consider this: Researchers constantly uncover software vulnerabilities, attackers evolve threats at an unbelievable pace, and the old “perimeter” has practically vanished. Gone are the days when a simple layered, perimeter-based security approach was enough. Attackers are now going straight for systems exposed to the internet, making patching more crucial than ever – if it’s possible. Organizations must develop a completely new approach to handle vulnerabilities in assets they cannot patch for various reasons. This is where a zero-trust mindset becomes absolutely critical. In this article, we’re going to explore the “art of the possible” in this new world, focusing on a proactive approach that leverages IT Asset Management (ITAM) and gives you actionable guidance for mastering the challenges of those “unpatchable” assets.

The Growing Problem of “Unpatchable” Assets

In the old days of perimeter-based security, most software was happily running on internal networks. Patching was important, sure, but it wasn’t always the highest priority. Things are very different now. In Special Publication 800-40r4, NIST SP 800-53 highlights that the perimeter has largely vanished, and most technologies are now directly exposed to the internet.This puts systems at a significantly greater risk of compromise. It’s like moving from a quiet back street to a main thoroughfare – you’re much more exposed.

Now, the idea that patching is the end-all-be-all is also flawed. Patching – applying a change to installed software – just isn’t always a viable option. A patch might not be available yet, the vendor may no longer support the vulnerable software (making it end-of-life), or you might just have to wait for a scheduled outage. These challenges lead to the unavoidable existence of “unpatchable assets.” This includes those tricky legacy systems, specialized devices, and operational technology (OT). The implications are serious – we’re not just talking about technicalities; these are real operational and financial risks. With the increasing complexity in the current software environment, just keeping up with patching has become difficult for many organizations, so we need to start thinking about different approaches.

Zero Trust and the “Unpatchable” Landscape

A zero-trust approach is now more vital than ever, and it emphasizes business asset-specific security over network-centric approaches. It’s like saying, “I don’t trust anyone,” even those inside your own organization. As explained in NIST Special Publication 800-128, security-focused configuration management (SecCM) is essential for managing system configurations to both provide security and minimize organizational risk. Zero trust assumes that threats exist both outside and inside the traditional perimeter, which makes individual asset security paramount. Patching becomes vital for reducing risk to assets and determining their trust status. However, this also highlights the need to ensure that systems are patchable or that other strategies must be in place to deal with the gaps.

Navigating the Challenges of Unpatchable Assets

While patching is a critical security measure, the truth is, it’s just not always possible. This is where a layered approach to security, combining strong asset management with smart mitigation strategies, becomes essential. Think of it like a well-stocked toolbox with different tools for different jobs:

  • Reduce Vulnerabilities: A comprehensive IT Asset Management system, as described in NIST SP 1800-5 (Volumes A and B), is essential. It’s the foundation for everything else. By taking these steps, you can significantly reduce the attack surface and lower the amount of patching you need. This will reduce complexity and cost over the long term. A risk-based approach is absolutely vital, meaning you’re not just patching for patching’s sake, but addressing the most critical vulnerabilities first.
    • Detailed Inventories: Track all assets, not just their physical location but their technical specifications and their function. This process should include information on each computing asset’s technical and mission/business characteristics and should be continuously maintained and updated. It goes further than just where something is physically. You need to understand which software, packages and libraries are installed on each asset and track vulnerabilities to these down to a package and library level. Leverage capabilities like a software bill of materials (SBOM), which provides a standardized way to describe software components.
    • Harden Systems: Employ the principle of least functionality and deactivate any services and features you don’t absolutely need. It’s like locking all the doors except for the ones you actually use. This also involves configuring software according to secure configuration guidelines. Furthermore, IT professionals should enforce the principle of least privilege.
    • Strategic Procurement: When acquiring new software, make sure it’s more likely to have fewer vulnerabilities. Think about a vendor’s secure software development practices, how transparent they are with security-related communication, and how quickly they address issues and release patches. It’s like choosing a car with a great safety record.
    • Managed Services: Think about using managed services to handle some of the patching load when it makes sense. This allows your team to focus on other key areas.
  • Mitigate Risks Strategically: The reality of an unpatchable asset demands a clear, thought-out strategy. Organizations need to define clear risk-response scenarios for different situations, kind of like a contingency plan for a major storm: 
    • Emergency Patching: Use the same general approach for routine patching, but with an accelerated schedule, giving a very short window to apply the necessary patches.
    • Emergency Mitigation: Temporarily mitigate vulnerabilities before a patch is available, using techniques like network segmentation, limiting access, or disabling features. Emergency mitigations are sometimes needed due to issues with a patch.
    • Isolation: Use strategies for segmenting off unpatchable assets to limit their exposure. A lack of patching creates an increased risk to the network or system that an unpatched system resides on.
    • Long-Term Mitigation Methods: Apply long-term risk mitigation methods, and review and analyze those by security architects/engineers. (NIST SP 800-128) The key is to have multiple layers of security around assets that cannot be patched. You can’t just ignore the risk.
  •  Operationalize Patching: Effective patch management requires an enterprise-level strategy that prioritizes risk reduction but also manages your operational needs. (NIST SP 800-40r4) It’s like running a well-oiled machine. Organizations should plan for the fast implementation of multiple types of emergency mitigations to protect vulnerable assets. 
    • Prioritization: Focus on the vulnerabilities that pose the greatest threat to your organization. A great approach is to follow guidance such as CISA’s Known Exploited Vulnerabilities Catalog to prioritize the most pressing patches.
    • Phased Deployment: Implement a phased rollout with canary assets that can be used as a test bed to see if problems may arise with the update. Then, expand the rollout to a larger set of assets and then ultimately to all assets. This will help you find problems before they impact your entire system.
    • Metrics: Leverage low-level metrics that already exist – think patch deployment timelines, time to remediation, or other vulnerability scores. Use these to generate enterprise-level metrics that guide actionable decision making. Use automation for prioritization, scheduling, validation, and deployment. Automation is essential to manage the sheer volume of patches needed in a modern enterprise.
    • Maintenance Plans: Establish clear maintenance plans for each asset based on identified risk response scenarios and assign assets to different maintenance groups. This plan should include timelines for actions and other relevant information.
  •  
  •  Continuous Monitoring: A system is never “done,” especially when it comes to security. As explained in NIST Special Publication 800-128, you must continuously monitor to ensure deployed patches are still in place and working correctly and also to see if patching changes a system’s behavior. This requires:
  • Automated Verification: Verify patches have been applied correctly and have actually taken effect. This is best done with automated tools. The robustness of this verification can vary based on the organization’s needs.  
    • Post-Patch Monitoring: Monitor patched systems to confirm that the patch hasn’t been uninstalled, or that the software hasn’t been rolled back to an unpatched state.
    • Behavior Analysis: Monitor the patched software’s behavior to see if it has changed after patching, which could indicate a compromise.
    • Compliance with Standards and Regulations: Organizations have to comply with all applicable laws, regulations, or business requirements. Like Federal Information Processing Standards (FIPS) or the Payment Card Industry Data Security Standard (PCI DSS). A lot of compliance standards require the implementation of strong configuration management or vulnerability management policies. NIST Special Publication 800-53B contains security and privacy control baselines that can help you meet these requirements.

Conclusion

The concept of “unpatchable” assets might seem like an overwhelming problem, but by understanding the issue and using strategic solutions. Organizations can not only survive, but actually thrive. A solid ITAM program, built on a foundation of best practices, robust security configuration management, and actionable mitigation strategiesis crucial. The shift from a reactive to a proactive stance, focusing on understanding and controlling all your assets in a zero-trust environment, isn’t optional anymore – it’s a necessity for survival.

Author

Related resources

  • Article

Is Your DevSecOps Pipeline a Security Risk? Integrating NIST SSDF

  • Article

Protecting Against Cyber Threats in the Electric Sector

  • Article

Steps to Build an ISMS and Achieve ISO 27001 Compliance

Software for cybersecurity regulations, standards & frameworks

Regulations & Standards

Frameworks

Controls categories

Discover our Services

Compliance-Labs_compliance-services-illustration

Compliance Services

Compliance-Labs_compliance-strategy-and-risk_picto-post

Strategy and Risk

Compliance-Labs_compliance-cybersecurity-for-OT-illustration

Cybersecurity for OT

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Software logo
  • Vendor
  • What is this Software?
  • Website
  • Cybersecurity Regulations, Standards and Guidelines Tested
  • Other Cybersecurity Regulations, Standards and Guidelines Supported
  • Deployment
  • Environment
  • Region
  • Industry
  • Capabilities
  • Application and DevOps Security
  • Asset Inventory and Management
  • Audit and Compliance Management
  • Awareness and Training
  • Backup and Recovery
  • Data Security
  • Endpoint and Device Protection
  • Identity Management and Access Control
  • Incident Response
  • Logging and Threat Detection
  • Network security
  • Posture and Vulnerability Management
  • Risk Assessment and Management
  • Software Bill Of Materials (SBOM)
  • Zero Trust Network Access
  • HIPAA Requirements Supported by the Software
  • MITRE Mitigations Enterprise Supported by the Software
  • ISO/IEC 27001 Requirements Supported by the Software
  • NERC CIP Requirements Supported by the Software
  • NIST CSF Controls Supported by the Software
  • NIST SP6800-53 (LOW) Controls Supported by the Software
  • NIST SSDF Controls Supported by the Software
  • PCI DSS Requirements Supported by the Software
  • Scope Impact
  • Periodic compliance activities supported by the Software
  • The Software store, process, or transmit
  • The Software requires to be integrated with other systems impacting the cybersecurity or compliance of the customer
  • Software modules implemented
  • Software vendor Third-Party Service Providers (TPSPs) used
  • Software NERC CIP scoping
  • Software NIST SSDF scoping
  • Software PCI DSS scoping
Compare
Compare ×
View comparison Continue browsing software