Imago Techmedia Ltd is registered in England and Wales under Company No. 04865455. VAT No. GB 843 8456 01
Registered Office: Bedford House, Fulham Green, 69-79 Fulham High Street, London, SW6 3JW, United Kingdom
Business Address: Imago Techmedia, 2C Bedford House, Fulham Green, 69-79 Fulham High Street, London, SW6 3JW, United Kingdom
Imago Techmedia is a subsidiary of Clarion Events Limited
Patch Flash to Bang – The Need for a Speedy Patching Process
Wednesday 27 September 2017
When it comes to most things in modern life, we always want them faster. Next day deliveries, better broadband and instant streaming; we want it all, and we want it as soon as possible! Whilst these specific examples of everyday requirements aren’t exactly show stoppers for the most part, what about the “need for speed” in IT Security, specifically the response times between the identification of a vulnerability, and it’s sometimes long-winded required remediation?
There is no doubt that the worldwide media coverage of WannaCry has increased the amount of conversations I’ve been having lately about the importance of, and best practices for, patching vulnerabilities. It’s a horrid reality that it takes a compelling event such as this attack to highlight the necessity of an effective security process, but it at least allows IT departments to have a better business case to secure much needed budgets for appropriate patching tools.
When I talk about the patching best practices, generally the most basic advice is universal:
1. Understand where the vulnerabilities are in your endpoints
2. Deploy available patches to a test suite which is a clone of your live environment
3. Once tested internally, deploy to the live environment
Now there is of course a number of other considerations to factor in, such as actions where patches are not available for example, but as a general rule of thumb, the above 3 steps should always be carried out. The question that arises from this process, however, is in an age where critical vulnerabilities are identified much more often, and hackers react accordingly, should businesses be considering methodologies that supplement and strengthen this strategy?
I’ve compiled a number of points, with the focus on speed, which can complement your patching strategy and I believe can help when you evaluate the processes you have in place.
1. Staff & Tools – IT Managers need to look at patching tools as something that empowers their team, not replaces them. If you are able to take away the manual and laborious activities involved in repackaging and deploying patches, you’ll be able to resolve issues a lot quicker and also free up your team to work on areas outside of what should really be considered “Security 101”. A specific area to consider in this, is the provisions in place for patching 3rd Party Applications, such as Adobe and Java.
2. Vulnerability Management – How do you know there is a vulnerability on your system in the first place? This touches on the previous tool point, but fundamentally, if you only know there is a vulnerability when a patch is released, then it could already be too late. Understanding which Common Vulnerabilities and Exposures (CVEs) have been released and how they relate to your environment is incredibly important and allows IT Teams to take remedial action if no patch is available, such as roll back to an earlier version or uninstall the application completely.
3. Initial Reaction Time – The vast majority of those affected by WannaCry were only susceptible to the malware because they had failed to deploy a 2 month old critical patch. IT leaders should establish a determined reaction time based on criticality of the specific patches, or remedial actions required where no patch is available, and hold their teams accountable to this.
4. Testing Time – How long should you test new patches for? I’ve seen some teams who patch, check for any damage, approve and deploy to the live environment all within one day, whilst others will allow a few days and see if any issues arise due to everyday use. This is really a judgement call, but I would say that having internally recognised deadlines based on criticality is a very good idea. Again, never underestimate the importance of patching and hold your teams accountable for achieving this KPI.
5. Automation – Interesting one here. Automation helps to speed up so many areas in IT Management, whether deployment of applications and OS’s, or vulnerability scanning and enrolling new clients on the network. When it comes to patching, we have to look at individual circumstances. Automatic patching is 100% better than no patching and somewhat better than late patching, but if you are automating the deployment of patches to a live environment, you may be setting yourself up for more work in the long term. Testing the patch beforehand allows you to make an informed decision on what does and doesn’t cause issues. Good patching vendors should be pre-testing patches anyway to ensure there is no general issues, but they can never know how they may affect your unique individual setup.
6. Application Whitelisting – Less about speeding up and more about giving yourself some breathing space. Application whitelisting has come a long way over the past few years and the days of huge manpower requirements to maintain whitelists is for the most part a lot less of an issue. What the deployment of a dedicated Whitelisting solution can do, is allows you to lock down your live environment in a known good state and stop any executables outside of the whitelist from executing. Great Whitelisting solutions will also block issues at the Kernel level and stop execution via memory injection too. Locking down your environment allows you to properly test patches before deploying, without worrying about the time constraints.
Vulnerabilities will continue to be identified thick and fast and businesses will need to keep up. Whether Wannacry, Heartbleed or any other cyber headline of tomorrow, IT Managers, and of course business leaders, need to ensure their company is not the next in a long line of names added to the list of victims. Patch, patch fast and patch well, it should be the heart of your security process, and the speed at which you can ensure vulnerabilities are negated might be the factor which saves you.
Author: Sean Herbert, Country Manager UK, Baramundi Software
Baramundi are giving two seminars at IP EXPO Europe, click here for more details.