Third-party code, MSP

Patching Third-Party Software in Highly Regulated Industries

Update software application and hardware upgrade technology concept, Firmware or Operating System update, Man using computer with comfirm button and percent progress bar screen. Installing app patch.

For managed service providers (MSPs), safeguarding client systems and data is not just a best practice — it’s a business imperative. One crucial aspect of defense strategy sometimes overlooked is third-party patch management.

This blog will explore why patching third-party applications matters, the risks involved, how MSPs can introduce proactive and robust cybersecurity strategies for their clients, and why this makes surprisingly good business sense. 

What is Third-Party Patching? 

Third-party patch management involves deploying updates to applications not developed by a device or operating system manufacturer. These applications may include productivity tools, communication software, specialized industry solutions, etc. The process addresses software bugs and security vulnerabilities, so it’s essential for maintaining the health and security of various software applications installed on client devices.  

Why Patching Third-Party Apps is Crucial 

  1. Targeted Vulnerabilities. Threat actors often exploit vulnerabilities in third-party applications. Shockingly, 75% of cyberattacks specifically target these apps. Failing to patch them leaves a gaping hole in your clients’ defenses. 
  2. Regulatory Compliance. Highly regulated industries, such as financial services, health care, and government, have strict compliance requirements. Regularly patching third-party apps ensures adherence to these standards.  

A cautionary tale: 

Earlier this year, a major US healthcare technology company fell victim to a ransomware attack by a suspected nation-state threat actor. The incident highlights the commercialization of ransomware services where “affiliates” use infrastructure belonging to ransomware gangs to carry out attacks in return for a cut of the profits. The unconfirmed cause of the attack is a suspected unpatched vulnerability in a third-party application used by the company. The ongoing crisis has had dramatic consequences for the company, and its failure to explain the cause of the attack has served to fuel speculation. 

Here’s how it happened: 

  1. Exploited Vulnerability. Cybercriminals leverage ALPHV (BlackCat) infrastructure using a suspected third-party application vulnerability to deny the company access to systems and demand a hefty ransom. 
  2. No honor among thieves. ALPHV swiped the entire Bitcoin ransom payment, falsely claiming law enforcement authorities stopped their activities, leaving their affiliate partner empty-handed.  
  3. Rebuilding from the ground up.With the unpaid affiliate declining to unlock critical data, recovery specialists start the costly process of rebuilding and restoring systems.  
  4. Legal Consequences. The organization is now subject to two separate government investigations, and the potential for a class action looms with over 100 million patients unable to get direct access to their prescription drugs. 

Mitigating Risks: Best Practices for MSPs 

  1. Automate patch management. Manual patching is error-prone and time-consuming. Invest in automated solutions that streamline the update process and focus on those that provide tested and secure patches, ensuring timely application. 
  2. Prioritize the critical. Use a risk-based approach to identify the most important applications to patch. Considerations should include whether the application processes sensitive data, if threat actors are already exploiting the vulnerability, and if exploitation could lead to further unauthorized access. 
  3. Vet and test patches. Not all third-party patches are equal. Some may introduce compatibility issues or new vulnerabilities. MSPs must carefully vet and test patches before deployment. 
  4. Educate clients. Raise awareness among your clients about the importance of third-party patching. Explain the risks and emphasize compliance requirements. 
  5. Keep up to date. Stay informed about emerging vulnerabilities. Regularly assess third-party applications for security updates. Syxsense, for example, shares a free monthly webinar on emerging third-party vulnerabilities. You can access previous recordings and sign up for future events here

An Attractive Managed Service 

Third-party patch management can provide lucrative opportunities if your business serves highly regulated industries. Updates can also introduce beneficial new features. So, providing timely, tested updates is a valuable service. By managing third-party patching for regulated customers, you are helping them protect sensitive data, maintain regulatory compliance, and fortify their cybersecurity posture. Ongoing fortification of regulations this year means proactive defense is non-negotiable. 

Remember, effective third-party patching isn’t just about preventing breaches; it’s about safeguarding your clients’ trust and ensuring their long-term success. Stay vigilant, stay informed, and keep those vulnerabilities at bay!

Blog courtesy of Syxsense. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more Syxsense news and guest blogs here.