Is this really a blog on patching?
Twitter: @darrell_kesti
It’s a typical winter morning in Minneapolis, and I’m at my desk having my second cup of coffee. So, what’s on my mind? Being grateful that I didn’t have to shovel snow this morning? Nah. Patching? Yeah, that’s it, patching. Pretty exciting, don’t you think? To inspire me to put pen to paper I Googled, “What is more boring than patching?” 12.5 million results came back, and the fifth one is a Bob Vila radio link on how to patch drywall, so at least I don’t have to deal with that. Moving on to the point of this blog entry, patching in IT is tedious, thankless and difficult. Worse still, the need never goes away. I have been running around with my team these last few weeks seeing customers and prospects, and patching is something we have been talking about a lot. So much so that I wanted to share a few ideas on the topic.
First, patching is becoming more critical and harder to do. Beyond the traditional Patch Tuesday from Microsoft and the latest Adobe vulnerabilities, our industry has been hit with a massive patching necessity due to Spectre and Meltdown. To add insult to injury, our VPNs and other common security tools are on the list of systems that are vulnerable. Even our Wi-Fi connectivity is vulnerable due to threats such as the Key Reinstallation Attack (KRACK). To further complicate matters, everybody is adding devices to their environments and fewer and fewer of these devices are manageable by the IT teams that are working to patch and resolve their vulnerabilities. Just one example: it’s on me to update my Apple watch, not corporate IT. The other alarming trend is how FAST attackers are going on the offense and taking advantage of the vulnerabilities that are out there. When the patches for the EternalBlue exploits were released on March 14, 2017, it took less than 60 days (May 12, 2017) for the malware leveraging those exploits to hit the world (WannaCry and, shortly after, Petya and NotPetya). Great article of the timeline here.
Second, not patching (or missing patches) can have a major impact on your business. On this topic, the financial impact on organizations that were hit with the WannaCry, Petya and NotPetya malware was incredible. For example, look at Maersk and this Forbes article. NotPetya cost them over $200M. It affected 4,000 servers, 45,000 PCs and 2,500 applications. The CEO said, “We had to reinstall our entire infrastructure.” Check out this article for more detail. The impact is incredible.
I mentioned up front that patching has been a hot topic in meetings with customers lately. Everybody wants to know what we can do about the current state of patching and cybersecurity. I’ve spent my entire career in IT on defense, and this is what I know:
- You can’t secure, what you can’t see. You also can’t patch what you don’t know about. Understanding the assets in your environment, across your campus sites, data centers, cloud and operational technology networks, is key. Malware doesn’t care if its target is an iPhone or an HVAC system or your PC. You need to be able to have a view of all devices in these environments and, beyond visibility, you need context about the devices.
- You need to be able to take action. Beyond just visibility of the systems in your environment, you need to be able to take action. We no longer have the luxury of weeks or months to comb the environment looking for a vulnerability, a piece of software or a specific device before deploying a patch. You need to know if you are vulnerable or not, and you need to be able to take action—quickly.
- There is no such thing as 100% patched, ever. You will never be fully patched, so you need to accept this and build in other controls. I see patching as a strategy now, and part of that strategy involves safeguards for when it goes wrong—in other words, when patches are missed or you have systems that cannot be patched. One key safeguard is to have the tools in your environment working together. A great example would be for a SIEM (Security Information and Event Management) system to be able to contact your visibility solution and send a command to automatically update a device’s operating system, disable a USB device, or quarantine an endpoint. Beyond automated response, incident response teams also need to add vulnerability hunting to their tasks when things go wrong. You need to tie systems like your patch management, vulnerability scanning and firewall systems together. These tools all need to work together to close gaps, but also identify areas you cannot patch. For those un-patchable systems, I highly recommend network segmentation as a strategy to lessen the impact if there is a compromise of these vulnerable systems. Lastly, this needs to be continuous. Sorry, but the need to patch is not going away.
Patching isn’t so boring after all, is it? While it may not be the most scintillating topic, it is something all security professionals must take an interest in, and must struggle to manage. At least we’re in it together.
Other blogs you may find interesting
