The pain of patching -- how to achieve a strategic balance between security, compliance and business goals
Modern cyber attacks are targeted, stealthy and evasive. Cybercriminals commonly attempt to penetrate enterprise networks by exploiting vulnerabilities in applications, web browsers and operating systems. The best defense available to enterprises is to rapidly patch these vulnerabilities -- or is it?
Patching is costly and risky, and it can disrupt ongoing business activities. Clearly, this conundrum creates tension between IT teams, security departments and management. Can enterprises achieve a healthy balance without compromising their cyber security?
Software Vulnerabilities are here to Stay
As software becomes more advanced and complex, it is impossible for programmers to eliminate all potential weaknesses in their code. These flaws become a playground for hackers to exploit. In spite of programmers’ efforts and the use of vulnerability scanning tools, myriads of new vulnerabilities exist each year. Even worse, Zero Day attacks that utilize new, unknown vulnerabilities are constantly unveiled.
To exploit a vulnerability and have a greater chance of "success", cybercriminals need intimate familiarity with the application they want to exploit. These attackers will typically seek applications widely used by employees in the targeted organization. This explains why most advanced attacks utilize common applications such as Adobe Acrobat, Adobe Flash, Microsoft Office and various web browsers. Hackers find it easy to get their hands on these applications and chances are high the users they wish to target are using one or more of them.
The Pain of Patching
Traditional security tools, technologies and processes cannot prevent malware and Advanced Persistent Threats from exploiting unpatched security vulnerabilities. Software vendors, as they become aware of new vulnerabilities, work rapidly to remediate them. This results in a continuous stream of security patches sent to their customers.
Patching software in an organization is a complex task. It requires careful planning, execution and validation. In some cases, it involves halting and rebooting a machine, thus interfering with employees’ work or business processes that run on a server. Sometimes the patch itself causes a conflict with other applications running on the machine. For all of these reasons, patching requires a lot of attention and careful coordination between IT and security personnel.
In short, software vendors are constantly creating an immense number of new patches to cover their vulnerabilities. Furthermore, security and IT teams face an endless (and ever-increasing) burden of executing those patches. The result is patching happens intermittently -- if at all -- because IT and business operations cannot tolerate the potential operational impact security patching represents.
As one Chief Information Security Officer of a large financial institution summarized:
All companies have a massive debt snowball that continues to grow in terms of unpatched security vulnerabilities on IT assets. The result is IT and Business Operations continue to be negatively impacted by exploits of unpatched vulnerabilities that increasingly extend beyond operational uptime, performance and availability. It eventually results in brand damage, regulatory fines, penalties and legal actions that hurt the company on a larger and long-term scale. This erodes market and consumer confidence in the brand, its products and services. This also impacts revenue retention, revenue acquisition and general growth and stability of the company. Added to all this is the potential theft and loss of intellectual property and competitive advantage in the marketplace.
In Search of Security-Business Balance
A true security-business balance can only be reached with a solution that mitigates the risk of unpatched security vulnerabilities. With this type of solution deployed, companies will not have to rush into rapid deployment of patches and can plan cost-effective patch roll-outs with minimum business disruption.
Imagine a solution that prevents the damage of attacks, reduces the pressure for urgent patching, helps avoid the risk of the patching process causing unplanned IT or operational impacts, and mitigates the risks the unpatched vulnerabilities represent.
For such a solution to be effective it would need to have the following attributes:
- Prevent the attack in its very first steps of the penetration attempt before it exploits the vulnerability. This is not easy and has been an elusive goal.
- Be agnostic to the application vulnerability that is attempted to be exploited. This requirement is the most demanding if the system is to be effective against the multiple variations of known and unknown attacks.
- Avoid flooding the organization’s SIEM with false alarms. Eliminating or significantly reducing false positives dramatically increases the effectiveness of a security system and the layers around it.
- Provide security personnel with detailed, real-time information about the attack attempt and actionable recommendations to help mitigate the spread of the attack throughout the organization. This also helps the company prioritize the patch of the targeted vulnerability.
- Be simple to install and manage. There is often friction between security and IT teams. The request for a new security tool, especially endpoint software, usually places a heavy burden on IT managers and desktop engineers. Security tools are notorious for their operational cost and disruption to business continuity. The challenge is to provide a powerful prevention system that is also simple to deploy and manage.
- Enable an excellent user experience. At the end of the day people need to work and not be "locked down" when they need to have outside connectivity or interact with external parties (suppliers, customers, etc.). An ideal solution should be totally transparent to the user.
Achieving all of these attributes in one product is challenging, yet a new breed of security solutions take a fresh and different approach. CISOs and IT managers should carefully select such tools to effectively and efficiently protect enterprise assets while maintaining and patching systems in a strategic and unobtrusive way.
Ronen Yehoshua is the CEO of Morphisec, a company born in the depth of the Israeli cyber security labs with the goal of, for once, changing the Cyber Security balance in favor of the good guys, the defenders.