Patching - You are Wasting Your Time!

Stop the maniacal focus on patch and vulnerability management and you will have better Cybersecurity. Years ago, Dr. Peter Tippett (founder of Cybertrust) passionately preached these magic words to a very large organization I was working for many years ago, and it rings ever more true today. Who is Dr. Tippett? You can look him up, but the Verizon Data Breach Investigations Report (DBIR) was his brainchild. Along with his most excellent team, he conceived of using the evidence-based methodology in medicine and applying it to Cybersecurity. Back then, he was speaking on the precipice of the first DBIR release, and in there, amongst the many prescient insights, the evidence showed a more frequent approach to patching critical systems did little to protect an organization. At that time, the majority of breaches (related to patching) were unpatched, vulnerable, "less important" systems - ergo, the easy path for Attackers. They knew you were good at patching production, but so much tasty low-hanging fruit, attached to the Internet, happily accepting inbound connections, all across your environment, were vulnerable and calling their attention as the better attack avenue.

Today, you can still see all the great work in the DBIR, and if there's only one security report to read every single year, that's it. Data-driven, big-league analytics, entertaining storylines, thousands of public, private, government contributors - and free. Massively useful! But Dr. Tippett's point then was that the mis-directed focus, and prevailing wisdom at the time for security professionals was to implement a 30-day patch cycle. In large environments, this naturally meant they never got all their systems patched, which meant they always had very unpatched systems. We've gotten better at patching, but not great. We still build our security programs around chasing vulnerabilities and patches, as it's the easiest to get budget and attention for, and frankly, an easy way to show measurable improvement. And look, it's a good thing at face value. The larger question he posed still remains: how thorough is your patch and vulnerability management routine?

I challenge the reader with much different questions: how rigorous is your configuration management process? Do you define Gold standard for builds, unique per business function, application, and system purpose (i.e. App Server, DNS Server, Web Server, workstations, etc.)? Do you review and look to implement any CIS hardening guidelines? Do you have a maniacal focus on configuration management? Today, right now, those are questions for a security professional, in concert with Senior leadership, to take a time-out and collectively consider with serious intent.

Let's use the latest emergency patch alert by Microsoft about their Print spooler getting actively exploited to make an argument for this focus. By configuration management, we mean evaluating all services(apps) running on a specific device, and stripping them down to the bare minimum needed to serve their purpose. If it's a web server, it doesn't need print spooler running, and a myriad of other services. "Disable all unnecessary services," period. Evaluate, test, and then establish Gold Images (especially Cloud instances), or use the CIS Benchmarks based on the business purpose of the device. Build and enforce these baselines, then catch configuration drift. Instead of meeting to decide what to do about yet another emergency patch, use this latest example of needless patching/attack exposure as the final turning point to get better.

This focus will pay large dividends, but indeed you'll have to make the investment of time to do this right. It's worth it! Aside from a reduced attack surface from the outset, this a better focus area because now your patch and vulnerability management process is enabled to be much more efficient and precisely targeted. I'll go further and suggest it's fundamentally more important than patch and vulnerability management. Imagine if you did this before the print spooler disclosure, life looks much different! You only had print spooler running on print servers, or maybe workstations, and your 'emergency focus' is so much more narrow. Time is saved both on the patch review, test and deploy process, as well as the increased threat monitoring vigilance because that focus can now be targeted to the systems running print spooler.

I'm certainly not advocating a no-patch strategy, but instead for a better use of your time - yielding maximum effectiveness. I firmly believe that solid configuration management goes a long, long way in achieving these prime objectives - and allows you to focus on more important projects, ergo, the other layers of that security onion you're smartly building. This layered approach to a Cybersecurity program is the only way to achieve cyber resilience: it's a system, living with system dynamics. Good layers work to compound the effect of the other, just as in the case of patch, vulnerability, and configuration management.

Think radically different. Employ a maniacal focus on the basics, get really good at those, and you'll reap the rewards of investing that time tenfold. Configuration Management is the first layer of a solid patch and vulnerability management strategy, and starting there is the very best way to meet your real goals: reduced attack surface, and more efficient use of everyone's time and focus. "Make it so, #1!"