Improving remediation in practice -- five ways get ahead on fixes
Remediating security issues and potential software vulnerabilities is one of the fastest ways to improve security and prevent attacks. It’s a standard process for security teams, and it should make the job easier for everyone involved. Yet many of the security issues that we see exploited remain known software vulnerabilities -- in Qualys' Top 20 Security Vulnerability Research this year, the top five most common exploits include a privilege escalation issue in the Zerologon protocol, remote code execution (RCE) problems in Microsoft Office and Wordpad from 2017 and even an RCE with Microsoft Windows Common Controls from 2012. These issues still exist, and have been targeted by threat actors this year.
So why are these old problems still present in production systems years after patches have been released, and why have they not been fixed? What is holding IT teams back around this backlog of vulnerabilities, and how can teams improve their processes to get ahead of these problems in future?
The answer to this is that the real world is more complicated. While you may want to apply remediations, other things may get in the way. Some of these common issues still exist because the update will break functionality that is necessary to the business. Other patches will require a downtime window to roll out, and the system involved is hard to take offline. Others are buried in systems and the team may have to implement multiple patches, remediation steps and a reboot in order to call the update complete.
Improving your processes around remediation
To get over these hurdles, there are multiple steps that you can take to improve your success rates around remediation, and stop problems cropping up again. Here are five steps that you can take:
1. Review your system images and templates
To make managing your IT systems easier, you will normally have a set of base images that you use as standard. These images can make deploying new endpoints or cloud servers easy; for applications that run in containers in cloud environments, these images are essential as part of your deployment pipeline. However, these images have to be kept up to date as well, or they can introduce old software vulnerabilities into your existing environments. Checking your gold images and software container library for potential issues regularly is a best practice to adopt, as it can prevent problems from getting into production.
2. Automate your patching processes for less critical or low risk applications
Your application estate will include a mix of different software and services -- some of these will be critical to how your organization operates, while others will be less important or where patches are not expected to be problematic. For these low risk applications, deploying updates should be automated as much as possible to reduce the burden on your team. Automated patch deployment for these applications will normally remove a lot of third party updates from the list, and lets your team concentrate on testing patches for your critical applications. This should free up time and remove many of the updates that would otherwise be postponed or put back for longer periods.
3. Check your accuracy on vulnerability counts
At one company, they had a list of vulnerabilities that never seemed to shrink no matter how hard the team worked or how many updates were deployed. This came to a head for their team as it was affecting their morale and performance. The security leadership team decided to review the situation and get to the bottom of the problem. What they found was surprising -- rather than being behind on issues, the team was actually doing an amazing job. The issue was that the vulnerability list was not accurate.
There can be multiple reasons for this problem -- for example, you may have virtualized desktop environments that are rebooted each time a user starts up, which can then not have the latest updates deployed. Alternatively, you may have assets that have been decommissioned and are not running in production, but they are still counted towards the vulnerability count. Whatever the reason, this can help you keep your vulnerability count realistic and help you improve performance.
4. Review what is causing the problem
Software vulnerability counts will depend on what software you have deployed in the first place. So, alongside checking what vulnerabilities you have, you can also check whether that software is still needed on the devices or whether you can remove it.
As an example, one company had an issue with browser versions that were deployed and that were out of date. However, these browsers were installed on servers that did not actually need to have the software at all. Uninstalling this software cut the number of deployments, and removed the need to manage that particular software on that batch of assets in future, cutting the problem down overall. Similarly, another organization found that they had multiple versions of Java installed on their endpoints -- by removing the older unnecessary versions from their machines, this cut down the organization’s overall risk score in half.
5. Ensure that updates get completed
Completing a patch deployment is sometimes bigger than rolling out an update. To complete the process, you may need to complete a reboot for that system. This can be a problem when the application is critical to the business or has to run around the clock. When the system is responsible for business profitability, it can be hard to get that downtime signed off.
To help in this, it’s worth providing information on the threat context for this application and the update. When you have to justify making a change to the most profitable part of the business, this can be hard; instead, looking at the risk and the potential impact can help change the business’ appetite to fixing the risk rather than carrying on with insecure systems.
By combining these steps, you can improve the overall effectiveness and efficiency for your patching and remediation efforts. At the same time you can educate the business on how you can reduce risk. With so many potential issues to bear in mind, using automation can help you get ahead of the problems too.
Karl Alderton is a Technical Account Manager at Qualys -- he has a strong technical understanding and a proven track record of delivering cyber security solutions and services to Enterprise organizations in the private and public sector. He is highly experienced with helping organizations understand their risk and delivering solutions to reduce risk and align with industry frameworks such as ISO27001 and CE+.