As I sat down to share further impressions of Verizon’s DBIR, I couldn’t help but notice the Department of Homeland Security’s (DHS) warning about a six-year-old vulnerability in SAP software that is evidently being exploited enough in the wild to warrant the federal agency’s alarm. This episode becomes a timely lead-in to what I think is an often overlooked upshot of Verizon, and others’ breach research: While researchers rightfully bemoan the frequency and consistency of patching across industries and government, the security community spanning both realms has to accept that we will never come close to “patching our way out” of severe cyber risks. Instead, we need to place a bigger premium on understanding how an organization’s people, processes, and technology will prevent, detect and respond to the matrix of malicious attack behaviors before they take place.
Without this level of ongoing situational awareness, shortcuts and assumptions gain the rule of law and invariably lead IT systems into unnecessary danger. Instincts are poor risk instruments, you see this all the time in how we, as individuals, (mis-)perceive our own health and risk.
Healthy is hard and, like eight hours of sleep and a balanced diet, thorough patching is the cornerstone of vulnerability management programs that help keep IT systems healthy – it’s what everyone strives for. Unfortunately, it also is simply not in the cards for the nature of most organizations. Remember your frustration when an iTunes update cluttered your music interface or an OS update crushed your RAM? Magnify that frustration across 1,000 end-user experiences in any large enterprise when patches break business applications or necessitate downtime for transaction-supporting systems. So companies are going to defer or overlook patches – in the same spirit of people skipping the time and distractions of sleep, food or flu-shots – if the choice comes down to staying competitive and in business.
It is also worth noting that there are plenty of devices and apps organizations cannot patch these days – think of office visitors, supply chain partners, and other third-parties. Connected gear like video-conferencing systems and copiers also frequently lands outside of patching reach.
But it takes more than vitamins and caffeine to keep us going.
The greater problem is not necessarily that companies forget, or must abandon some patches altogether – it is that they cannot reliably keep score on particularly severe vulnerabilities they end up tolerating, like those in DHS’ SAP alert, which, can open an expressway for attackers into crown jewel data systems. Too often, the assumption with these lingering, tolerated vulnerabilities is that deploying more rigorous perimeter, network and endpoint security tools will keep these software holes out of reach. But how often is that really the case – and for which tools placed in front of which holes?
With no instrumentation – no continuous understanding of the effectiveness of one’s true security posture – gut instincts take over decision-making until a DHS alert or data breach spurs panic and sends administrators out to retrospectively comb infrastructures for a given hole in the news. Missing patches are counted and the routine repeats itself the next time an alert is issued.
This is all reminiscent of someone believing that skipping meals and sleep is OK, that it is “just the way things have to be,” with no helpful context – like whether it is cold and flu season or if you have a university exam or track meet the next day. Some days, trusting in vitamins and caffeine to make up for corners we cut just doesn’t make sense. It is too risky – akin to thinking another firewall or endpoint layer, by definition, will hold us over out of trouble, indefinitely.
In which type of case should we assert patching is most important? We all get reminders that some evenings it’s best to just skip Netflix and turn in early to fortify with honest rest.
Know – and trust – your limits.
Verizon’s DBIR tells the story: vulnerabilities that are left to persist and are not adequately mitigated by security tools, policies, and teams are attackers’ favored way in. Noted in a footnote echoing DHS’ SAP warning, Verizon’s charts illustrate that the greatest number of CVEs (vulnerabilities) exploited in 2015 were those disclosed in 2007 (p. 15). These data points drive home the argument that lacking an instrumented view of how well your deployed security investments cover un-patched software holes is a breach waiting to happen. “Perfect” patching, while a desirable goal, may not be practically attainable and therefore, having the ability to also manage (detect and respond) to these attacks becomes most important.
Regaining balance and control to avert potential disaster, you have to know where your preferred operational decisions – and occasionally necessary shortcuts – will burn you most. Incidentally, it does not help your organization if you tend to get this clarity from a post-breach clean-up, at which point the toll of angry customers, business interruptions, litigation or lost opportunities is setting in.
So how do you achieve continuous, instrumented security revealing the deltas between your security investments and vulnerabilities? Vulnerability scanners, penetration testing, and table-top simulations are all well-intentioned, but too often far short because they become one-time exercises that find a hole or two, and then go quiet. The manual complexity and cost of these traditional approaches simply do not fit enterprises whose IT assets and attack surfaces change by the minute.
The Verodin Platform is an ideal answer to this problem because while your security teams remain on the job, our technology gives them the ability to seamlessly and safely execute malicious behaviors of varying sophistication targeting old and new vulnerabilities within a production environment, to replace assumptions with real proof of your true security posture.
Is that SAP vulnerability a looming risk or hard to reach? Deferring a round of patches could save cost and downtime, certainly – but what does it introduce into the security equation? With Verodin, security teams, business leaders, and other risk stakeholders can collaboratively ask these questions and actually receive meaningful answers for better decision-making.
Meanwhile, you’re on your own as to whether protein bars and power naps are the best way to go.