What’s wrong with this picture? What isn’t. If more organizations could improve their patching speed and accuracy, fewer CIOs would have to feel as if they were playing Russian Roulette with their organization’s data.
Many CIOs today are almost fatalistic about the inevitability of a serious breach. And who can blame them, with new vulnerabilities emerging all the time, hundreds of attacks launched daily, and the number of mobile devices, BYOD, remote workers, platforms and applications continuing to multiply by the day?
One recent, very high-profile example of a truly devastating attack was seen at Equifax, where 148 million people were compromised in the course of an assault breach that lasted for 76 days.
It must be especially galling for Equifax board members to reflect upon the simple and avoidable cause of the breach: a simple Apache software flaw – one that could have been patched at any point in the preceding eight weeks.
It’s time for CIOs to take control of their endpoint assets and really commit to keeping every system current. Here are the underlying strategic steps needed to make it happen.
“Successful endpoint attacks have jumped 10% over the last year in large part because organizations are painfully slow at patching and maintaining up-to-date systems.”
First and foremost, your organization needs to know what it’s protecting, and this must include hardware and software. The former is usually well accounted for, but the prevailing lack of visibility around software is shocking. We see many customers with 30,000 distinct software entries – and related executables numbered in millions. Often this dizzying degree of sprawl has occurred over many years, exacerbated by mergers, acquisitions, and the ongoing process of business units installing their own software.
If you’re serious about protecting yourself, you must attain visibility of your estate. Once you have this, you can explore which of those machines are the most important ones. Prioritizing those in production above those in testing or development, or apply risk-rating according to other factors such as internet accessibility.
In addition to knowing exactly what you need to protect, visibility also allows you to reduce the attack vectors, by retiring those unused or unnecessary pieces of software (which can also potentially save your organization money on software licensing). 1E finds and normalizes the millions of executables in your organization into manageable information. Once IT has visibility into the applications that have been deployed and how they’re being used, simple rules can be defined to remove waste or standardize around preferred applications and versions.
From the Equifax breach, to the well-known victims of WannaCry, NotPetya and other high-profile attacks of recent years, virtually all of these disasters could have been averted with better, more complete patching.
Furthermore, organizations need to be updating both their software and operating systems with the same assiduous punctuality. Yet most organizations still haven’t completed their Windows 10 migration, which means they’re relying (at least in part) on decade-old OS software that’s fast approaching its end of support.
This is the CIO’s responsibility – and a potentially catastrophic one to overlook.
Without automation, CIO’s often face the problem of having too many machines. They have too many hard-to-reach machines and not enough time (or bandwidth) to get to them. This is exacerbated by the growing number of remote workers at intermittent, changeable connections. On top of this, the success of a patch is often dependent on action at the endpoint – the machine being turned on, or rebooted post patch by the end user.
Leveraging automation is the only practical, realistic answer. It frees up resources and handle much of the load for your team.
Keeping every OS and piece of software current and patched is half the fight. New threats emerge daily, and that “window of vulnerability” is shrinking: presently, the average period between the announcement of a vulnerability, and its successful exploitation, is only eight days.
As we’ve already seen, traditional patching tools simply can’t keep up. The hackers move faster, in what is effectively an arms race between attack and defense.
For validation, take a look at today’s speeds, with an industry average of 197 days needed to discover a breach – and 69 more days to contain it.
Even with additional patching automation, an extra dimension of response and anticipation is required. Engaging a Real-time Response solution to help detect and stop an attack before it becomes a breach is the only effective defense.
“Today, real-time information makes all the difference,” explains Signify CIO Kurt De Ruwe. “We had some virus attacks where we deployed a solution that prevented the exploit from being used and we did it across 22,000 devices around the world in two days. Without Tachyon by 1E, it would have taken weeks or months.”
While these steps are critical, the reality is they cannot be performed in a vacuum. In far too many organizations, there’s a huge disconnect between IT Security and IT Operations.
Sometimes this is a result of an official separation of duties, sometimes it’s the result of departmental silos.
Certainly, these differences are made worse by the main parties’ inherently differing outlooks and priorities, with IT Operations hardwired to prioritize the business agenda (let’s call that “keeping the lights on”, or, “facilitating digital transformation”), while IT Security concentrates solely on identifying and mitigating risk.
Operations can more proactively help the security agenda by cataloging assets and ensuring all machines are patched and current, as well as applying the proper security settings. In turn, security must provide the monitoring and analysis that keeps the organization on top of threats, both potential and incoming. They need to be working in unison: sharing tools, information, and most of all, a sense of mutual, interdependent responsibility. It’s primarily a cultural change, and one that can deliver huge security improvements particularly around patching efficiency.
Whether you’re a CIO or a CISO, you would undoubtedly like to see your organization embrace a stronger security culture. Every business today, after all, is entirely dependent on its software: a serious breach can bring any organization to a grinding halt. Read this free guide to find out five simple cultural changes that will make your company more secure.
