The European Aviation Safety Agency (EASA) issued a directive earlier this month warning about a hydraulic pump problem concerning the Airbus A350, a popular passenger plane used by major airlines all over the world. Apparently, if left unchecked, the problem could lead to overheating and in certain conditions even an engine explosion. What is the recommended fix? A software update.
This is an extreme, and somewhat dramatic, example of what patching can prevent.
The first half of 2017 saw two of the most widespread malware outbreaks to date—and both leveraged a known exploit with an available patch. In May, WannaCry impacted operations across the globe, possibly costing multinationals billions in stalled operations and lost revenue. The malware heavily relied on MS17-010, or “EternalBlue”—a vulnerability for which a patch was already available before the outbreak. Petya soon followed, which leveraged the same vulnerabilities to compromise multiple systems across the world.
Despite the availability of a patch that could have prevented an infection, many companies and users still had vulnerable systems. This situation only begs the question: can we fix the lag between patch release and application?
Patching has always been an issue for organizations—though they know the obvious benefit of patching quickly, they may be hesitant to deploy any updates that might hinder operations or impact critical systems. Patching can be a real burden if there are no procedures set in place and many businesses can’t afford the down time, so they just accept the risks. Besides this, there are a number of other reasons for holding off on patching; resources could be limited, legacy systems could be overlooked during patching, or worse, some systems are so old they cannot be patched.
Establishing a new norm
A 2015 survey shows that it took some companies over 100 days to patch, but things are starting to change in 2017. A recent Forbes and BMC survey revealed that companies are definitively committed to better patching practices. The survey shares that “a majority of executives named investments in IT and patch-automation systems as the ones that delivered the best returns on their security investments in the past year,” and 43% of the surveyed companies would make timely patching and remediation a higher priority in 2017.
Hopefully, this recent commitment to timelier patching will continue and help contain future outbreaks. Although it is not a new solution, it should be an integral part of enterprises’ security regimen. Below we list some common issues and what can be done to establish a new and more efficient way of patching:
The New Norm
A robust change management process means that any update to the servers requires a lot of information before it can be triggered, which makes timeliness an issue.
Virtual patching for interim protection as well as using an audit tool that can help organizations include the important patches in a scheduled patch cycle are also good solutions.
The cycle of scheduled patching (usually a quarterly or semi-annual cycle) involves staging first and then production— recommendations from vendors and advisories usually influence what patches are deployed.
This approach did work in the past but now attackers are using known and near zero day vulnerabilities to breach networks. It’s imperative for organizations to also look at the threat intelligence capabilities of the deployed solutions.
Ad hoc patching is a serious and ongoing concern for all organizations—it doesn’t just address issues with the OS, but also other applications used. Any sizeable organization will have around 100 to 500 servers, which makes this even more difficult.
Various technologies like virtual patching and application control can help organizations avoid the burden of ad hoc patching.
Traditionally, a network defense layer has justified the delay in installing patches on the servers locally. The common approach for large organizations has always been outside-in. Vulnerability fixes on the servers/applications are considered the last option.
The network defense layer is only one part of a comprehensive security strategy, providing security from external attacks and requiring continuous manual policy changes and configurations. Security has to be multilayered, leveraging technologies like virtual patching and application control.
Patching is absolutely necessary, regardless of an organization's size. While it might take time and resources, it becomes less of a strain on operations once proper procedures are established and effective solutions are in place. As several companies have noted, it is well worth the investment.
Patching is just the beginning of a well-rounded security strategy. The use of multilayered solutions such as Trend Micro™ Deep Discovery™ will help provide detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle.