Collective defense in cybersecurity means information sharing to battle the bad guys as a group.

Collective Defense and Patch Management

What is Collective Defense?

In short, collective defense is a means by which a group of entities band together to protect themselves from a common enemy. Its most celebrated and consequential application is probably the North Atlantic Treaty Organization (NATO), founded in 1949 by the US and European countries to deter the expansion of the Soviet Union and its form of communism. Ken Blanchard wrote that “none of us is as smart as all of us”, and collective defense applies that sentiment to defense against a common enemy:  all of us working together are safer than one of us working alone.

What is Collective Defense in Cybersecurity?

Collective defense in a nutshell:  All of us working together are much stronger and safer than one of us working alone.

The cybersecurity world is an ideal place for the implementation of collective defense, as it’s one of the few examples of a truly collegial and cooperative community united against a common enemy. Indeed, in a very real sense, the CISOs of Coke and Pepsi – two companies otherwise locked in a decades-long existential battle – are on the same team, and it wouldn’t surprise me if they collaborate. Fierce market competitors don’t typically revel in their opponents’ cyber security failures, but rather assume they’re probably next.

To date, there are a number of ways the cyber security community practices collective defense, including:

  • Threat Intelligence Sharing.  This is likely the best and most prevalent example of collective defense among enterprises. When a new threat is identified or an IOC (indicator of compromise, often an IP address or domain name) is discovered, there are multiple avenues for the entity uncovering it to share that information with the community at large, and most do so with alacrity. 
  • Incident Response. When one enterprise is breached, others may share information regarding a similar experience to help expedite recovery.
  • Cybersecurity Standards. The development of standards and frameworks often involves the input of many organizations from different industries collaborating to protect the greater community.

But an emerging technology is adding a new dynamic to the concept of cyber security collective defense, and it’s injecting a jolt of out-of-the-box-thinking into vulnerability remediation and patch management software, an area of cyber security largely bereft of innovation over the past several years.

Collective Defense and Patch Management

In the early days of systems administration, applying patches or upgrading software versions often resulted in disruption, and IT practitioners were therefore justifiably apprehensive about applying patches, whether they were security-related or not. Fast forward about 20 years, and times – and technology – have changed. Today, less than 2% of patches are rolled back (meaning the original software version – the one with the vulnerability – is re-installed to reverse a disruptive installation). Yet, vulnerability remediation teams continue to be apprehensive about auto-patching, largely for two reasons, one rational, and another emotional:

Effective patch management and vulnerability remediation is still one of the first things security-conscious organizations should prioritize.
  • Even if a practitioner acknowledges that there’s a 98% chance an applied patch won’t cause a disruption, they still have no way to know which patches are in the 2% category and which are safe. In effect, they’re gambling, an approach to systems operations understandably rejected by vulnerability remediation professionals.
  • Old habits die hard, and bad memories linger. It may be a decade or two since the chances of a major disruption when applying a patch were tantamount to a coin flip, or worse, but those experiences spawned a highly conservative culture (rightly so) among practitioners, and it’s not easily changed. In short, it’s a very human challenge.

The only way to address these two realities is data. At present, the only way for a vulnerability remediation practitioner to gain insight into whether a given patch might be disruptive is to ask a colleague at another organization if they’ve applied the patch, and gain the benefit of their experience. Even better, contact 2 peers, or 3, or 10; certainly, an impractical approach to patching experience data gathering. 

But now, that work has been done for them.

The trackd Platform and Patch Management

trackd is bringing precisely that patching experience data to the vulnerability remediation community, a novel approach to patch management designed to give practitioners the data – and therefore for the confidence – to leverage auto-patching to meaningfully reduce their MTTR (Mean Time to Remediate), and therefore, the cyber risk of their organization.

In short, when a patch is applied using the trackd platform, data is recorded that illuminates the experience the user had after applying that patch. Several data elements are collected, but in a nutshell, whether or not the patch was disruptive is the bottom line. This data is then anonymized, and shared with all other trackd platform users, in real-time. Over time, many other users on the trackd platform will apply the same patch, generating 5, 10, or even 100 or more data points for a given patch, and hopefully giving cautious remediation teams the confidence to make more aggressive patching decisions.

Ultimately, the concept of collective defense in the cyber security community comes down to sharing information, and the mutual benefit derived from that knowledge. Threat data has formed the bulk of that shared information to this point, but trackd’s platform is now extending that concept to the admittedly unsexy, yet absolutely crucial, world of vulnerability remediation.