The first half of 2017 was rough for cyber security. Multiple waves of major cyber attack campaigns like WannaCry and Petya have left everyone paranoid and constantly looking over their shoulder for the next shoe to drop.
Even with this high level of paranoia, have companies started taking the necessary proactive steps for threat prevention? Are companies, especially ones in the cloud, learning from the mistakes of those affected and shoring up defenses? Are they applying the level of due diligence needed to keep their sensitive data secure?
Well, if they are, I haven’t seen it – not much of it at least.
The Petya ransomware is a perfect example. While it leveraged an additional attack vector – enhanced lateral movement not requiring an SMB exploit – it still heavily utilized EternalBlue, an exploit that was patched several months prior to the release of WannaCry. So, by the time Petya was released, organizations had more than ample time to patch systems against EtneralBlue.
But, they didn’t and these vulnerable systems were compromised as a result.
The “Why” of “Why Should We?”
Why would a company willingly put their systems at risk?
Well, to get a better sense of why companies underperform in ensuring an effective security state, it’s important to understand where security falls on the priority list for your average non-cyber security organization. According to a Barclaycard survey of more than 250 companies, only one in five companies believe cyber security is a top business priority, yet half of these companies admitted to falling victim to a cyber attack within the last 12 months.
Those results demonstrate a serious trend that organizations are aware of security’s importance, and that without it, they’re putting their business in jeopardy. It’s a clear case of security acting as an efficiency blocker instead of an enabler.
And there’s one area this deficiency is painfully obvious, patch management.
The Challenges of Patch Management
Without effective patch management processes, organizations are exposing themselves to unnecessary and, in the case of WannaCry and Petya, easily remedied vulnerabilities.
The reasons for why so many fall into this trap of deprioritizing patch management are simple:
- Lack of visibility: There are very few products in this space that provide an intuitive visualization of where your focus should lie.
- Prioritization confusion: There’s often a failure to prioritize, according to a risk-based approach. It’s essential to patch the riskiest assets first and then evaluate the next step to getting to the rest.
- Unnecessary complexity: Everybody makes it more complex than it needs to be. Though patch management can be a nuisance, it’s possible to sidestep the annoyance.
Getting past these struggles is the first step toward reinstituting and essentially “rebooting” patch management.
“Rebooting” Patch Management
To enable efficient patch management, your business must provide proactive detection followed by a rapid and automated response. Referring to a risk-based approach, scanning launches the risk-assessment process by identifying where the problem is. Scanners reveal a level of severity, scaled by a spectrum of urgency, and allow us to ask ourselves, “do we actually need to patch, or just be aware that something is there, and monitor it?”
For threats we’re unsure about, validation is key in eliminating false positives. Before executing a response, we want to avoid handing the operations team a risk that’s not actually there.
Your vulnerability lifecycle manager is responsible for producing meaningful metrics and delivering those to operational teams for corrective action.
The best metrics to help “reboot” your patch management process are those that:
- Tell a story (why, what and, most importantly, how).
- Are predictive and demonstrate forecasting.
- Proactively supply the SOC with intelligence of the current Security State.
After that, the response side is easy with these metrics: Develop, test and deploy your solution. Leverage DevOps processes through CI/CD builds everywhere you can to provide the best overall efficiencies.
Preparing for the Next Attack
There’s a very real threat of another game-changing attack, a reality exposed by the back-to-back releases of WannaCry and Petya. It’s only a matter of time for another to hit, and it’s up to you to protect yourself. Additionally, the cyber security community has a responsibility to protect each other. We can only get ahead of the threat and maintain proactive security postures by collaborating.
As the second half of 2017 makes its entrance, we should all be asking ourselves: what’s next for our company from a cyber security perspective?