[BreachExchange] 5 tips to help CIOs overcome patching problems
Destry Winant
destry at riskbasedsecurity.com
Wed Feb 27 08:31:34 EST 2019
https://betanews.com/2019/02/25/overcome-patching-problems/
With endpoint attacks on the rise, and the risk and cost of a data
breach steadily increasing, protecting enterprise networks has become
an urgent priority. And, it seems that no one is immune: in a recent
survey of global companies, 93 percent experienced a cyberattack in
the last year. For one-third of those companies, attacks were a weekly
occurrence.
While cybercriminals are certainly working overtime to find new
opportunities to wreak havoc, the truth is that CIOs and those in
charge of enterprise security bear some of the responsibility for the
increasing prevalence of attacks. Last year, nearly 60 percent of
successful breaches exploited known vulnerabilities, and of those
organizations that were victims of attack, nearly 40 percent admit
they were aware of that vulnerability prior to the event.
The harsh reality is that we should -- and we can -- be doing more to
protect the organization against known software vulnerabilities. With
the average time to patch now over 100 days, CIOs must make it a
priority to close that gap substantially. Of course, with limited
budget, an already maxed-out staff and what seems like an overwhelming
task, accelerating patching frequency can seem nearly impossible. But,
the good news is, there are several strategies that can be put in
place immediately that will save your team, and your company, a
tremendous amount of time and money.
1. Deploy real-time response. It’s important to acknowledge that even
the best patching protocol is never foolproof. Patching can only
resolve vulnerabilities that are known, and for which the software
manufacturer has actually issued a patch. Because bad guys are working
feverishly to find those vulnerabilities first, a real-time response
solution is an absolute must in order to detect and stop an attack
before it becomes a breach. And, the faster, the better: it took
NotPetya just seconds to completely cripple most of the companies it
infiltrated.
The problem with many "real-time" response solutions is they take
copious amounts of suspicious data transfers to trigger the system and
put a stop to the attack. By then, the damage may already be done.
Instead, the best defense is one that truly works in real time,
halting an attack with just a packet or two of data before shutting
down the malware.
2. Get Security and Operations working together. In many
organizations, IT Operations thinks endpoint protection is entirely an
IT Security problem. The reality is that keeping the organization’s
endpoints up to date takes coordination and collaboration between both
sides. Operations must do its part to deploy patches and updates and
apply appropriate security settings as required. Security must provide
the monitoring and analysis that keeps the organization working
proactively to stop potential and incoming threats. This team-oriented
approach is critical to providing complete, robust endpoint
protection, along with a fully-operational alarm and response system.
3. Identify the full scope of your assets. Once you get everyone on
the same page about the importance of cooperation, the first task
should be to identify what needs protected. There could be 30,000
discrete pieces of software running on machines across the network,
and most organizations have no idea about the vast majority. It gets
even more complicated with BYOD and remote workers connecting to
corporate networks over free Wi-Fi at a local coffee shop. You not
only have to worry about their machine, but also about the network
they’re using.
The only way to get a handle on the situation is to completely catalog
your software assets. Identify machines, operating systems,
productivity software, peripheral drivers, including manufacturer and
current versions. This will give you a "lay of the land" so you can
begin to maintain it.
4. Clear the path for patching. Some of the biggest obstacles to
patching are logistical: inadequate bandwidth to handle the quantity
of updates being sent over the network, machines not turned on or
connected to the corporate network when patches are deployed, or WMI
and SCCM may not be functional.
For patches to be deployed in a timely manner, you must remove as many
of these barriers as possible. First, eliminate network congestion
issues with a content distribution tool that can complement
Configuration Manager to ensure bandwidth is used intelligently.
Second, take steps to ensure visibility and access to all endpoints,
including the ability to turn them on and connect them to the VPN when
needed. Finally, as part of your visibility process, make sure WMI and
SCCM are functioning properly and remediate any issues in real-time,
so that patches can be installed efficiently once they reach the
machine.
5. Enlist end users to help. End users must be educated about the
importance of keeping their machines up-to-date and how this directly
impacts corporate-wide security. Too often, updates are viewed as a
nuisance to end users, who fear that the reboot necessary to apply the
patch will cause them to lose apps, data or time. Many have to be
strong-armed into a reboot after 30 days have passed.
Instead, put users in the drivers’ seat to schedule reboots at a time
that works for them. Provide self-service options that help them to
maintain their own systems, and of course, ensure complete backup
assurance so that they can feel confident that their documents and
data will be preserved, even if a patch goes wrong.
While it’s true that ensuring endpoint security across the
organization is the CIO’s responsibility, it also doesn’t happen in a
vacuum. Keeping endpoints patched, up-to-date and protected requires a
cooperative effort between operations, security and end users. But,
even with everyone on board, it’s still a race against time. As new
threats emerge daily, the average time between the announcement of a
vulnerability and its successful exploitation is now just eight days.
Supplementing these collaborative strategies with effective,
responsive, automated technology is the only practical way to keep
pace with the threat. Real-time response and automated patch
deployment can give any organization an upper hand in keeping
exploitation at bay.
b
More information about the BreachExchange
mailing list