5 tips to help CIOs overcome patching problems
With endpoint attacks on the rise, and the risk and cost of a data breach steadily increasing, protecting enterprise networks has become an urgent priority. And, it seems that no one is immune: in a recent survey of global companies, 93 percent experienced a cyberattack in the last year. For one-third of those companies, attacks were a weekly occurrence.
While cybercriminals are certainly working overtime to find new opportunities to wreak havoc, the truth is that CIOs and those in charge of enterprise security bear some of the responsibility for the increasing prevalence of attacks. Last year, nearly 60 percent of successful breaches exploited known vulnerabilities, and of those organizations that were victims of attack, nearly 40 percent admit they were aware of that vulnerability prior to the event.
The harsh reality is that we should -- and we can -- be doing more to protect the organization against known software vulnerabilities. With the average time to patch now over 100 days, CIOs must make it a priority to close that gap substantially. Of course, with limited budget, an already maxed-out staff and what seems like an overwhelming task, accelerating patching frequency can seem nearly impossible. But, the good news is, there are several strategies that can be put in place immediately that will save your team, and your company, a tremendous amount of time and money.
1. Deploy real-time response. It’s important to acknowledge that even the best patching protocol is never foolproof. Patching can only resolve vulnerabilities that are known, and for which the software manufacturer has actually issued a patch. Because bad guys are working feverishly to find those vulnerabilities first, a real-time response solution is an absolute must in order to detect and stop an attack before it becomes a breach. And, the faster, the better: it took NotPetya just seconds to completely cripple most of the companies it infiltrated.
The problem with many "real-time" response solutions is they take copious amounts of suspicious data transfers to trigger the system and put a stop to the attack. By then, the damage may already be done. Instead, the best defense is one that truly works in real time, halting an attack with just a packet or two of data before shutting down the malware.
2. Get Security and Operations working together. In many organizations, IT Operations thinks endpoint protection is entirely an IT Security problem. The reality is that keeping the organization’s endpoints up to date takes coordination and collaboration between both sides. Operations must do its part to deploy patches and updates and apply appropriate security settings as required. Security must provide the monitoring and analysis that keeps the organization working proactively to stop potential and incoming threats. This team-oriented approach is critical to providing complete, robust endpoint protection, along with a fully-operational alarm and response system.
3. Identify the full scope of your assets. Once you get everyone on the same page about the importance of cooperation, the first task should be to identify what needs protected. There could be 30,000 discrete pieces of software running on machines across the network, and most organizations have no idea about the vast majority. It gets even more complicated with BYOD and remote workers connecting to corporate networks over free Wi-Fi at a local coffee shop. You not only have to worry about their machine, but also about the network they’re using.
The only way to get a handle on the situation is to completely catalog your software assets. Identify machines, operating systems, productivity software, peripheral drivers, including manufacturer and current versions. This will give you a "lay of the land" so you can begin to maintain it.
4. Clear the path for patching. Some of the biggest obstacles to patching are logistical: inadequate bandwidth to handle the quantity of updates being sent over the network, machines not turned on or connected to the corporate network when patches are deployed, or WMI and SCCM may not be functional.
For patches to be deployed in a timely manner, you must remove as many of these barriers as possible. First, eliminate network congestion issues with a content distribution tool that can complement Configuration Manager to ensure bandwidth is used intelligently. Second, take steps to ensure visibility and access to all endpoints, including the ability to turn them on and connect them to the VPN when needed. Finally, as part of your visibility process, make sure WMI and SCCM are functioning properly and remediate any issues in real-time, so that patches can be installed efficiently once they reach the machine.
5. Enlist end users to help. End users must be educated about the importance of keeping their machines up-to-date and how this directly impacts corporate-wide security. Too often, updates are viewed as a nuisance to end users, who fear that the reboot necessary to apply the patch will cause them to lose apps, data or time. Many have to be strong-armed into a reboot after 30 days have passed.
Instead, put users in the drivers’ seat to schedule reboots at a time that works for them. Provide self-service options that help them to maintain their own systems, and of course, ensure complete backup assurance so that they can feel confident that their documents and data will be preserved, even if a patch goes wrong.
While it’s true that ensuring endpoint security across the organization is the CIO’s responsibility, it also doesn’t happen in a vacuum. Keeping endpoints patched, up-to-date and protected requires a cooperative effort between operations, security and end users. But, even with everyone on board, it’s still a race against time. As new threats emerge daily, the average time between the announcement of a vulnerability and its successful exploitation is now just eight days.
Supplementing these collaborative strategies with effective, responsive, automated technology is the only practical way to keep pace with the threat. Real-time response and automated patch deployment can give any organization an upper hand in keeping exploitation at bay.
Sumir Karayi founded 1E, an endpoint management and security company, in 1997 with the goal to drive down the cost of IT for organizations of all sizes. Under Sumir’s leadership, 1E has become a successful global organization with offices in New York, Ireland, Australia, and Delhi. 1E is also a trusted partner, with 26 million licenses deployed across more than 1,700 organizations in 42 countries worldwide. Sumir is a passionate believer in philanthropy, supporting the Manav Mandir Ashram Orphanage and the Innocent World Charitable Society in India. He’s also a founder member of the Alliance to Save Energy and supporter of the Climate Savers Computing Initiative. 1E in turn is an active, contributing member of the Green Grid as well as a member of the Green IT Council Advisory Board.