This article by trackd Founder Mike Starr first appeared in Enterprise Security Technology in May 2023.
For the fun of it, I prompted ChatGPT with variations of “what’s the best way to secure an organization from cyber attacks,” and one of the items on the list that was common among all responses: update or patch software systems regularly. Certainly, everything created by ChatGPT needs to be taken with a grain of salt, but it is notable that it agrees with – or perhaps generated its response at least partially on the basis of – advice given by some of the world’s foremost cyber security experts. Indeed, the National Security Agency (United States), MI5 (UK), and Unit 8200 (Israel), all advise patching as one of the best ways to secure an enterprise. As organizations known to be unafraid to conduct their own offensive cyber operations on occasion, I guess the old adage “it takes one to know one” applies here.
Fix the Windows First
Of course, you don’t need to be a Large Language AI model or cyber spy to conclude that diligent and regular vulnerability remediation is a foundational element of enterprise cyber defense. If you were to embark on a comprehensive security system design for your home, for example, you might consider alarms, video cameras, and even a guard dog, but you’d probably start by fixing the broken locks on your first floor windows. And that’s exactly the same thought process enterprises should adopt when defending themselves against an ever-expanding and sophisticated pool of attackers.
Start With the Obvious
Many organizations invest in an alphabet soup of security products – SEIM, EDR, MDR, XDR, PIM, PAM, PUM, Malware Detection, Data Back-Up, IDS, IPS, DLP, IAM, Encryption – trusting that aggressive technology expenditure will translate into effective defense. But the vast majority of commonly-deployed enterprise security products are reactionary in nature, designed to identify a breach or protect sensitive systems in the event of one. But, borrowing an adage from our friends in the medical profession, an ounce of prevention is worth a pound of cure in cyber security. With the possible exception of a properly configured and actively managed (both non-trivial to accomplish) firewall, the best and most obvious preventative method to defend the enterprise from cyber attack is robust vulnerability remediation.
Patchaphobia: Fear of Breaking Stuff
So, why do so many companies fail to accomplish this basic cyber security function while threat actors continue to exploit unpatched vulnerabilities to achieve the initial network access necessary to launch ransomware and other attacks? To those responsible for vulnerability remediation, this is effectively a rhetorical question.
Patching breaks s#$t. And when s#$t breaks, the cyber security team isn’t blamed. The team responsible for patching – often IT operations – gets the angry phone calls. The security team identifies the vulnerabilities, but, typically, they’re not responsible for applying the patches. This split responsibility, coupled with the risk of disruption, creates friction, delays the application of patches, and opens windows of opportunity for bad actors.
Another way to put this: patching in the context of ongoing network operations is easier said than done. To mitigate the risk of disrupting operations while patching, remediation teams often conduct testing, or apply the patch in development environments before deploying them.
Another means of managing patching risk is to apply the updates off-hours, on weekends or holidays, with people on-call or actively monitoring for system disruptions. These risk mitigation tactics are expensive, time-consuming, and stress already overworked IT professionals (the kind that are hard to recruit and retain).
And it all might be driven by fears of catastrophic disruption that, if not irrational, are at least inflated.
Today, less than 2% of patches are rolled back, or uninstalled, reverting the system back to the unpatched software version. So the vast majority of patches are safe to auto-update, requiring minimal resource investment. Clearly, the challenge is to have some idea where the 2% landmines are located, and, until recently, there have been few ways for remediation teams to gain insight into how safe a given patch may or may not be. This dearth of insight forces enterprises to trade the risk of operational disruption for the risk of a breach resulting from a vulnerable system…a high-tech Sophie’s choice. The risk of disruption is more immediately tangible, while the risk of a cyber breach is more theoretical. As the number of breaches in which the initial access vector is an unpatched vulnerability increases, we’re learning which choice many enterprises are making.