Patch manager Action1 to add vulnerability discovery, prioritization

Cloud-native, patch-management application provider Action1 is set to add vulnerability discovery and prioritization capabilities to its namesake flagship platform to help businesses stay ahead of software exploits.

The plan is part of a company strategy to expand beyond its traditional patch management features and add capabilities aimed at enhancing an organization's resilience to cybersecurity threats.

"The new features will enable customers to see beyond what is patchable into what is actually vulnerable," said Mike Walters, vice president of vulnerability and threat research and co-founder of Action1. "With this new combined product offering, enterprises will be able to make better prioritization decisions."

The new features are targeted at companies that have a work-from-anywhere staff strategy.

"Every organization needs a way to update their employees' devices as one of the most effective -- yet so simple  preventive security measures available," said Story Tweedie-Yates, head of product marketing at KSOC, a Kubernetes security company. "Time and again, security reports show that a large risk to the organization is unpatched software and the vulnerabilities that accompany it."

Vulnerability discovery and prioritization capabilities will be available -- in the third and fourth quarter, respectively -- with the customers' existing subscription and no extra charges.

Consolidating vulnerability and patch management

Action1, currently, only identifies unpatched systems and lacks the ability to detect all common vulnerabilities and exposures (CVEs) in an organization's environment, including those without available patches.

"Currently, we only offer the remediation piece, without a link to the original vulnerability. Vulnerability discovery is the missing piece that will connect vulnerabilities on endpoints to available patches. With this new technology, the Action1 platform will be able to link the two together, so instead of just offering patches, it will tell you what systems are vulnerable with specific CVE IDs," Walters said.

The company will use the National Vulnerability Database (NVD), CISA's Known exploited vulnerabilities catalogue (KEV), and the CIS Benchmarks list for its vulnerability discovery capability.

Under its new strategy, Action1 is looking to combine the existing remediation offering with discovery and risk-based analysis of vulnerabilities in order to give companies contextual information that will help them consolidate and streamline resource allocation and prioritization.

"Users will see every vulnerability on their system, including both patchable and non-patchable vulnerabilities, along with attributes such as score, exploitability, attack vector, and other available attributes. This will ultimately enable security teams to make informed prioritization in patching or to find a compensating control instead of patching," Walters added.

Context is key in prioritizing patches

Industry expoerts agree that various factors are usually considered while assessing vulnerabilities and risks associated with them. Erik Nost, an analyst with Forrester thinks contextual, risk-based approach combined with weighted counter controls help better handle vulnerabilities within a given timeframe.

 "Forrester recommends organizations consider business context, threat likelihood, and strength and effectiveness of compensating controls when assessing vulnerability risks," Nost said.

Yates agrees that managing risk absolutely requires the ability to prioritize security efforts, including patching, based on business context.

"In general, security practitioners are moving their true north from compliance to managing risk, and Action1's addition of vulnerability discovery, based on the differing business value of the asset, falls in line with this need," she added.

KSOC’s Yates noted that Action1's platform is currently available only for Windows OS devices. The company, however, says that it is working to expand coverage to Linux and macOS systems.

An Action1 customer since 2021, Chris Weis, senior systems engineer at Razzoo’s Cajun Caf?, initially became a user since the restaurant was "struggling with visibility and control of business endpoints (Data center, remote locations, and workstations) and keeping everything fully patched on a regular basis."

"Action1 has a powerful patching system that allows us to address security with consistent patching to all our systems from an easy-to-use friendly interface. The other functions of Action1 including remote support, reporting, and software deployment have made Action1 one of our most essential tools we use to keeping our IT infrastructure running effectively," he added.

Although the new features have not been tested, Weis was upbeat about Action1's upcoming vulnerability detection and remediation features. "Indicators such as scoring, exploitability, and attack vectors will help identify possible vulnerabilities that are outside of what patching alone can resolve and allow