Don’t get stuck in the 'panic patching' flywheel – there is a better way!
It's an age-old cyber security mantra that all patches must be applied promptly in order to protect against newly discovered threats before attackers have time to exploit them.
Unfortunately in the real world, this is almost impossible. Less than half of all organisations can patch quickly enough to defend against zero-day attacks. A medium-to-large organisation will, on average, take about 102 days to apply a patch-
The Australian Cyber Security Centre recommends that commonly-targeted applications should be patched within one month of a patch becoming available and, for internet-facing services, within two weeks, or 48 hours if an exploit exists.
Contrast this with the average time it takes cyber criminals to exploit a vulnerability once it has been revealed by the announcement of a patch: 15 minutes! And in many cases, a vulnerability is known to cyber criminals long before any patch is issued.
A cautionary tale
The most notorious example demonstrating the consequences of failure to patch is the 2017 breach of the Equifax credit reporting agency, in which personally identifying data on hundreds of millions of people was stolen.
The initial breach of Equifax's defences was via a vulnerability in Apache Struts, a widely used open-source development framework for creating enterprise Java applications. The vulnerability was exploited on 10 March, just three days after the Apache Foundation had released a patch to counter it. According to one account of the attack, Equifax administrators had been told to apply the patch urgently, but the employee charged with the task had failed to do it.
This oversight was compounded by other failures of the Equifax patching regime. For example, their IT department had previously run a series of scans to identify unpatched systems, but none were flagged as being vulnerable.
Patching is an increasingly impossible task
Comprehensively applying a patch throughout a large organisation requires a great deal of work, but there are other greater challenges. Legacy systems are difficult—and sometimes impossible—to patch. Patching such systems requires careful planning, including scheduling downtime.
All these factors mean that patching is a people and management challenge in addition to being a technical task. Without a well-managed security function that is integrated into an organisation's overall management structure, security personnel will struggle to rise to the challenge. This was part of the problem at Equifax.
While the scale of the breach put Equifax under enormous scrutiny and highlighted numerous security shortcomings it is important to note that even without these, it might still have been breached: the breach occurred just three days after the patch was released.
And for many organisations, the number of applications that could need patching in the future is growing, along with the number of vulnerabilities. According to NIST, more than 25,000 verified vulnerabilities were detected in 2020. Bug bounty hub HackerOne reported a 20% increase in verified vulnerabilities in 2021 from 2020, 66,000+ in total.
As the volume and velocity of patches increases, competing priorities place the IT Operations, SOC and triage teams in constant high-pressure situations and directly impact the planned release schedule.
Patching is a never-ending catch-up game, a software version of whack-a-mole. By the time one set of vulnerabilities has been patched, more will have emerged.
Given the impossibility of providing rapid and comprehensive protection from new threats by patching, most organisations rely on trying to detect an attack as quickly as possible after it has started to execute. Essentially, they move into damage control – with robust resilience plans designed to enable the organisation to recover rapidly and minimise harm to their business and reputation.
The way forward
There is a better way: monitoring every workload to detect any variation from normal behaviour that could result from a successful attack and blocking that behaviour before any damage can be done. This is known as continuous server workload protection.
This technology requires no prior knowledge of vulnerabilities or specific attack techniques. It relies entirely on understanding each and every application so any variation in behaviour resulting from a successful attack can be detected and blocked before it can do any damage, whatever hackers were aiming to achieve.
The process is entirely automatic. It does not require policies to be written and applied. It does not require virus signatures to be frequently updated, or systems to be tuned or tweaked. And it all happens in milliseconds.
Continuous server workload protection offers dynamic, precise protection against the broadest attack vectors targeting server workloads. It secures software from the inside-out during runtime, precisely mapping what the application should be doing and stopping malicious code before it can run.
Continuous server workload protection is effective against zero-day attacks, ransomware, unknown attacks and legacy software that is no longer supported (and for which patches are not available).
By automating the process of threat detection and elimination, continuous server workload protection eases the burden on security staff, freeing them to focus on more strategic issues. Reduced stress levels and more fulfilling tasks can increase employee satisfaction and lower turnover rates.
However, the most compelling argument for continuous server workload protection is that it greatly reduces the likelihood of an attack being successful and all the consequences that can flow from that success: brand and reputation damage, downtime, lost productivity and ransom payouts.
The takeaway
All CISOs should be aware of this breakthrough technology, which plays a crucial role in overcoming the ever-present patching conundrum. Vulnerabilities are inevitable whenever software is released, but with continuous server workload protection organisations can effectively take the power back into their hands.