Patch management is a core capability for remediating vulnerabilities, but it may not always the most viable or the only option. Addressing every vulnerability is challenging due to potential business disruptions from patching, the unavailability of patches for zero days and the limitations of traditional patch management tools that rely solely on agents.
Qualys, a provider of cloud-based IT, security and compliance solutions is introducing something it's calling "patchless patching." The company will unveil this in its TruRisk Eliminate capability next week at Black Hat 2024 in Las Vegas.
TruRisk Eliminate provides additional remediation methods when patching isn't feasible using techniques such as targeted isolation and others to ensure protection.
“Some vulnerabilities do not have a patch at all and often application owners refuse to patch due to the fear of an outage,” Eran Livne, Qualys’ senior director of Product Management, told MSSP Alert. “To make things even harder for the security and IT teams, when a zero day is released it often takes time until a patch is available. TruRisk Eliminate provides non-patch alternatives to help customers mitigate their risk when a patch is not a viable option.”
A Solution MSSPs Can Use: Qualys
Will MSSPs embrace TruRisk Eliminate? Livne thinks so.
“This can help MSSP customers address risk in a much more efficient way,” Livne said. “MSSPs can help their customers find the best option for their needs, ensuring rapid risk reduction for zero days, non-patchable vulnerabilities and other critical vulnerabilities. As all suggested actions are researched and tested by the Qualys Research team, MSSPs can respond faster without the need to do the research and testing themselves.”
A Closer Look at Patchless Patching
What exactly is patchless patching and how did Qualys arrive at this solution? Livne explained that for many customers, MTTR (mean time to remediate) for critical vulnerabilities is too high, but it is not only because of customers struggling with patch management.
Livne noted that the Qualys Threat Research Unit constantly researches vulnerabilities and suggests and tests valid mitigation options, which are automatically available for Qualys customers to test and deploy with a click of a button.
Qualys' Threat Research Unit has identified five million instances of Cybersecurity and Infrastructure Security Agency (CISA) Known At-risk assets that can't be patched. Thus, security and IT teams need effective mechanisms to mitigate the risks of unpatched vulnerabilities while maintaining business operations.
"Five years ago, Qualys disrupted the vulnerability management space with integrated patch management to help organizations streamline and accelerate threat remediation,” said Sumedh Thakar, president and CEO of Qualys, said in a statement. “Now, we're taking the next step with TruRisk Eliminate, offering businesses innovative ways to mitigate risk even when patching isn't an option."
A Patch/No-Patch Solution for "Nearly 100%" of CISA KEVs
TruRisk Eliminate enables security teams to proactively mitigate nearly 100% of CISA Known Exploited Vulnerabilities (KEV) and ransomware vulnerabilities, both with and without patching, Qualys said. This approach balances business continuity with risk reduction by mitigating and isolating the risk without patching or rebooting.
Qualys offers a pair of solutions as part of TruRisk Eliminate:
- TruRisk Mitigate deploys advanced risk mitigation controls based on the recommendations of vendors, CISA and the Qualys Threat Research Unit. It empowers businesses to swiftly implement configuration changes via advanced scripting for Linux and Windows, ensuring robust protection even when patches are unavailable, Qualys said.
- TruRisk Isolate empowers teams to proactively quarantine risky assets to prevent security incidents from spreading within the network. It helps security and IT teams manage risk proactively instead of relying on the reactionary endpoint detection and response (EDR) approach of quarantining assets post-incidents.
An Example of How Patchless Patching Works
Livne provided MSSP Alert with a concrete example of patchless patching using a sample vulnerability of “CVE-2024-1086: Linux Kernel Use-After-Free Vulnerability (Flipping Pages)”
CVE-2024-1086 has been detected more than 1.5 million times, and only 20% of those detected instances are remediated in customer environments, according to Livne. For those that remediated the vulnerability, it took organizations an average of 28 days. Livne says that's far too long.
TruRisk Eliminate lets organizations address this vulnerability more efficiently. When an organization detects CVE-2024-1086 on their Linux-based desktops or a few production servers, Qualys TruRisk Eliminate maps this CVE to several alternative actions to help customers address it, Livne said.
One action, says Livne, is to deploy the relevant patch. Another action is to apply a configuration update to block user namespace creation, among other configuration changes that, based on insight from the Qualys Threat Research Unit, will mitigate the vulnerability until a patch can be deployed.
The final alternative is to isolate the entire device from the network, ensuring the vulnerability cannot be exploited.
“Deploying the patch is considered less risky on Linux desktops,” Livne said. “Therefore, the organization may choose to use the Qualys agent to test and deploy the patch to their desktops. However, applying the specific patch to production servers may be too risky at present. Instead, the organization may leverage the Qualys agent to apply the suggested mitigation, as the application owners consider the operational risk of blocking username space creation very low.”
Livne explained that minimal manual work is required by the remediation teams for both actions, as all actions are pre-packaged and ready to be deployed by the Qualys agent. And once the customer utilizes Qualys to take these actions, the results will be automatically reflected in the VM reports, with the relevant QIDs marked as closed for all desktops and as mitigated for the production servers.
