The fork in the patching road... What path are you on?

The fork in the patching road... What path are you on?

Unless you’ve been living under a rock, you’ve heard of the WannaCry (WannaCrypt etc) worm that made headlines around the world this weekend – and caused disappointment to a number of Mothers who were missing their sons and daughters on Mother’s Day -- as their offspring were ensuring their technical environments were patched and protected.

This is one of the few times in my (lengthy...) career that there was such a rapid explosion of malware (There’s been a few other times, but I don’t want the young folks in info sec to have to run to Wikipedia to look up what the “I love you” virus was...). I also knew that there was going to be a fairly predictable fallout:

1.      My LinkedIn feed will be filled by Information security professionals/bloggers/pundits would be on a soap box preaching about patch management, and how long are we going to tolerate this injustice.

2.      The sales hype cycle is going to kick into hyper drive, and I am going to have to ignore my desk phone more than I already do. Some sales teams just can’t help themselves but to strap on those skates and chase that ambulance.

So where are we on this as an industry? How do we continue operating daily when it’s become abundantly clear that there is a systemic problem worldwide – and in this case, one that could affect the health of millions of people (NHS UK I’m looking at you)?

There’s a fork in the road and your organization is likely travelling on one of the two.

The path of budgetary constraints

Budgets were cut, and everyone really liked Windows XP – why would you upgrade? By not upgrading past the end of life date in 2014 (Yes, 2014, that’s three years of security updates you don’t have) – you now likely are investing a lot more in repairing the mess that has landed at your feet.

If you are a senior leader tasked with cleaning up the mess on this path, you will need to spend an exorbitant amount of money to remediate – but also you need to create an Information Security and IT Compliance function that reports outside of the “Keeping the Lights On” IT function – and maybe more importantly – you need to allocate green dollars to that security and compliance function. If it’s not green dollars, you are only robbing Peter to pay Paul, and the problem shifts to wherever the money is cut from.

If you are an analyst/engineer at a company on this path that isn’t making big, immediate, impactful changes because of this incident I don’t truly have much advice for folks on this path, other than to seek employment with companies or government agencies that use a modicum of judgement on where the money is spent. End of life is never acceptable for production. Ever.

The path of patch overload

In complex and highly transactional environments, it can be a challenge to bring change on a wide scale, rapidly (such as a lovely mother’s day weekend). Patches must be tested, vetted and certified in order to avoid bigger problems and outages by a rushed/botched job – not to mention the rescheduling of other (planned) operational jobs, feature releases and everything else that happens outside of core business hours. Yes, these activities are extremely disruptive, but arguably less so than trying to pay ransoms on thousands of business critical servers and end points (or restoring them from backups pre-infection).

The days of “Apply patches no matter what within 30 days” are behind us, it hasn’t ever worked properly, and clearly around the globe enterprises have suffered significant hits to their business as a result. So why are some organizations paying the price (literally) while others are seemingly unaffected, and operating at “Business as usual” levels today? Prioritization, layering and people.

Prioritizing patch releases to your most critical (and vulnerable) assets, you harden your outside/most exposed layer. This is some old school information security thinking, but as long as you harden your outside while also acknowledging your squishy inside - you can further enhance your information security program by layering in further security controls. 

A solid end point protection suite, integrated into a malware sandbox with threat intelligence feeds – that’s a start! Add in a web application firewall solution that can virtual patch entire subnets, that’s even better. IPS units in block mode, with updated signatures and SSL interception? It’s a beautiful thing. Vulnerability scan data fed into a risk based threat management processor to target highest risk areas? Now you’re cooking with gas.

These layers are going to help you in a time of crisis, but all of it will fall flat if the human element isn’t engaged and present. What the ambulance chasing product sales teams aren’t telling you in their emails and calls is that you need an Information Security team that works, collaborates and integrates with the infrastructure and operational support teams, and supports the organization as a trusted advisor.

If your information security team is handing over 1000-page vulnerability reports to operational teams and expecting them to action it; they are doing it wrong. 

If your information security team is running unauthenticated scans against production systems because they cannot “get” administrative credentials from the operational teams; they aren’t trusted by those teams. 

If your information security team cannot prioritize your patch cycle based on business requirements; they aren’t engaged with the application owners.

Unfortunately, this is not uncommon with a broken information security program, but if you don’t break the cycle now and fix it – the next WannaCry variant, or the next worm, or whatever other nastiness that comes down your Internet pipe may be the end of more than just your career, as we’ve witnessed with the NHS exposure – real lives can be affected by which path your organization chooses.

My message to the executives out there dealing with the aftermath of a wide scale infection is to prioritize Information Security and IT Compliance functions, remove them from operational budgets and allocate green dollars to fund a security program that aligns to business objectives and priorities; and ensure your teams are working together instead of operating in an adversarial/audit based environment where the dirty laundry is hidden from view.

Good luck out there!

? Phil Umrysh

May 15, 2017