How Our Policyholders Avoid Vulnerability Patching Paralysis

Without the budget for an in-house psychic (we hear they don’t come cheap), organizations can’t confidently predict a cybercriminal’s next move. And while no one at Corvus claims to see the future, we have the second-best option: a team dedicated to closely monitoring the threat landscape so that our policyholders don’t need to shoulder the weight alone.

Vulnerabilities — security flaws or weaknesses found in software (you probably remember Microsoft Exchange, ProxyShell, Log4j, and countless others) — are a threat actor’s golden ticket to access your systems. That’s why we regularly notify our policyholders of critical threats that occur in the wild to help reduce cyber risk. We sent 31 alerts in 2022 alone. 

Sometimes, we even beat the U.S. Cybersecurity and Infrastructure Agency to it. 

Policyholders who receive our threat alerts patch their systems three times faster than organizations who don't receive a notification.

How do we decide when, and who, to alert?

1. We spy a new vulnerability in the wild

New threats surface every day, although they aren’t all created equal. Infrequently, a vulnerability like MOVEit or Log4j surprises the industry with its widespread reach, encompassed by fanfare and media coverage. But in our experience, the discovery (and associated risk) is usually a lot more understated; vendors release updates in response to software vulnerabilities, CISA catalogs known exploits, and IT teams employ their best vulnerability and patch management practices to avoid becoming a cybercriminal’s next easy target. 

With this constant influx of new security flaws, patching is often about cybersecurity monitoring and prioritization. If we send an alert to a policyholder’s inbox for every discovered weakness, we’d be destined for the spam folder before long (and rightly so). To avoid being the cyber insurer that cried wolf, we have a set of criteria to determine when and who to alert. First, we have to establish the when: is this vulnerability likely to lead to serious damages or widespread harm? 

In the last year, 82% of the vulnerabilities we highlighted later resulted in exploitation by threat actors. Without supernatural abilities, how are we able to predict the outcome? We watch for vulnerabilities that have a low barrier to entry for exploitation and those that allow attackers to run commands on your machine, such as remote code execution.

On May 31st, Progress publicly disclosed a zero-day critical vulnerability in their MOVEit file transfer software. It permitted potential unauthorized access to an organization's environment, something security experts at Corvus immediately recognized as critical and time-sensitive. So, before the victim count ticked into the dozens — and later the hundreds — we quickly evaluated which policyholders were most at risk. 

2. We (quickly) alert all potentially impacted policyholders

Once we establish that a vulnerability warrants an alert, we decide who needs to hear from us about the identified vulnerabilities. Using our Corvus Scan technology, we’re able to identify if an organization uses high-risk software, as well as search for new vulnerabilities as they occur to help ensure proper cyber risk mitigation precautions are taken. Picture hitting CTRL F on a Word document and typing in the right snippet of code to locate vulnerable software. 

Back in October, when a popular VPN provider experienced a breach, we were able to notify impacted policyholders the same day the vendor made private notifications to customers. We also alerted them three days before the VPN provider publicly disclosed the security flaw, and six days before the exploit code was released. This is why on average, our alerts provide a 15.5 day headstart for policyholders to patch vulnerabilities before hackers start exploiting them. 

And speed is everything. The time-consuming aspect for cybercriminals is writing the code that allows them to exploit the vulnerability in the first place, which takes about two weeks, if not less. Once that’s accomplished, any threat actor capable of running a script can join in. As soon as the vulnerability is disclosed, the race to patch as many systems as possible begins before it’s widely exploitable.

As the MOVEit vulnerability developed, we notified impacted policyholders on June 1st, a day before the vulnerability was published in the National Vulnerability Database (NVD). As successive new (related) vulnerabilities occurred on June 15th and July 5th, we notified all potentially impacted policyholders the same day as public disclosure. 

3. We stay in touch

A “set it and forget it” mindset is antonymous to our entire approach to cybersecurity. When we send an alert to impacted policyholders, we strive for it to be more than just a FYI in their inbox. Instead, it’s a user-friendly guide on how to manage the situation with a concise background on the vulnerability and step-by-step instructions for remediation of the security incident. 

We view our relationship as a partnership in mitigating security threats, and for any good relationship to flourish, we need open and effective communication between both parties. Policyholders regularly reach out after the initial delivery of alerts, mainly to inform us that they have successfully taken the next steps and security measures to protect their organizations against potential security issues. 

If we don’t hear back, we like to follow up to ensure that they understand the risk, and that they have the right tools to address it. After our initial notification of the MOVEit vulnerability on June 1st, we followed up with at-risk organizations and their brokers on June 5th if we didn’t hear back. The extra ping serves as a prioritization tool: If you haven’t already addressed this risk, now is definitely the time. 

A partner in risk helps cut through the noise

Organizations of all sizes — whether a booming pharmaceutical company or a local dental office — benefit from having an expert in cyber risk as their partner. In the case of our threat alerts, there’s a clear advantage for SMBs that don’t have a dedicated budget for cybersecurity; patch maintenance may fall to the wayside without straightforward guidance or a dedicated IT team to help manage their attack surfaces. But the same can apply to businesses with thousands of employees.

Knowing when and what to patch isn’t an easy job, which is why a gentle, time-sensitive nudge (“we think this one is critical”) can go a long way in improving security posture and reducing an organization’s exposure to evolving threats.