As a security analyst, one of the most challenging aspects of my job is dealing with vulnerabilities that simply can’t be fixed. Despite my best efforts to remediate all issues to protect my organization, I often encounter roadblocks that prevent me from completely resolving certain vulnerabilities. In this post, I’ll share my experiences and techniques for managing vulnerabilities when traditional remediation isn’t feasible.
Table of Contents
Why Some Vulnerabilities Can’t Be Patched?
Before diving into solutions, it’s important to understand why some vulnerabilities can’t be patched. There are a few common reasons:
- Legacy Systems: Many organizations rely on outdated systems and software that are no longer supported. Without vendor support, patches simply don’t exist to fix new vulnerabilities discovered in these platforms.
- Business-Critical Systems: Some systems are so critical that applying patches introduces too much risk of downtime and disruption. If a patch breaks key functionality, it can severely impact operations.
- Specialized Equipment: Devices like medical equipment, industrial control systems, and more run niche software that lacks security support from vendors. New vulnerabilities may emerge, but patches aren’t made available.
- Custom Software: Internally-developed, custom systems that an organization builds to support its unique needs often don’t receive the same level of patching and support as commercial software.
The common thread is that forces outside of the security team’s control prevent the true remediation of flaws in these systems. So what can be done instead to manage and mitigate the risks?
When I encounter unpatchable vulnerabilities, my first line of defense is layering on compensating controls. The goal is to reduce the overall risk of exploitation through other means, even if the root vulnerability remains unresolved.
Some of my favorite compensating controls include:
- Network Segmentation: Placing vulnerable systems in isolated network segments prevents exposure from external threats. I restrict traffic in and out to only essential communications.
- Access Controls: Limiting who and what can access a vulnerable system makes exploitation much harder. I implement principle of least privilege across users, devices, and applications.
- Increased Monitoring: When patching isn’t possible, it’s critical to monitor systems for suspicious activity indicating exploitation attempts. Catching threats early allows for rapid response.
- Application Whitelisting: Locking down vulnerable systems to only allow trusted applications reduces the attack surface. Whitelisting stops malware and unauthorized software from running.
The controls above don’t eliminate vulnerabilities, but they constrain the risk to levels I deem acceptable. They buy time and protection until the underlying flaws can hopefully be patched.
Decommission and Replace End-of-Life Systems
In cases involving highly vulnerable legacy platforms and software, compensating controls only go so far. If patching simply isn’t possible at all, the only true long-term solution is decommissioning and replacing outdated systems.
But ripping and replacing critical systems is often easier said than done. It requires proper planning, budgets, testing, and execution without disruption. For large enterprises, migrations like Windows 7 to Windows 10 can take years. Still, I always make this case to senior leadership when I encounter highly exposed legacy platforms:
- Lack of Vendor Patches: Without security patches from vendors, new vulnerabilities will continue emerging without fixes. Risk exposure steadily increases over time.
- Inability to Meet Compliance Standards: Regulations like HIPAA, PCI DSS, and more require keeping systems updated and secure. Using EOL systems means failing audits.
- Weak Compensating Controls: No amount of whitelisting, monitoring or access controls can fully protect highly vulnerable software forever. Controls eventually get bypassed.
- Increasing Maintenance Costs: There is rising cost and effort associated with manually monitoring and securing outdated platforms. Better to invest in modernization.
I frame decommissioning legacy systems prone to unpatchable flaws as a necessary, long-term investment to avoid security incidents down the road. The costs to secure outdated technology eventually outweigh the migration expenses. And by starting early, I can implement compensating controls to safely bridge old and new systems during the transition period.
Exceptions for Business Needs
Occasionally, my security recommendations to decommission legacy systems conflict with business objectives. Replacing some systems would badly disrupt operations or require budget my organization simply doesn’t have yet. In these cases, I work closely with business leaders on exceptions to keep systems online despite unpatched flaws.
The executives understand the security risks involved with exceptions. I provide complete transparency through regular reports and metrics on vulnerability status, risk levels, exploitation attempts and more. Together, we define sunsetting timelines to decommission legacy systems on a roadmap aligned with business needs.
Meanwhile, I implement virtual patching or micro patching and the compensating controls mentioned earlier to minimize risk. While not ideal, blending security best practices with business realities is necessary to move towards modernization at my organization’s pace.
Managing vulnerabilities that evade remediation presents unique challenges for me as a security analyst. Through compensating controls, legacy system replacements, and transparent exceptions, I reduce risk levels for my organization to acceptable thresholds. What techniques have you leveraged to handle unpatchable vulnerabilities? I welcome any advice in the comments below!
We hope this post helped in learning about how i managed vulnerabilities that can’t be remediated. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.