In this article Richard Melick, Senior Tech Product Manager at Automox explains that as we head into 2020, here are three cyber hygiene basics IT organizations can adopt to proactively get a handle on the patching and configuration crisis the industry finds itself in.
What makes up a crisis? To boil it down simply, there has to be a serious problem that’s reaching a tipping point and getting worse and worse over time. Take the environmental crisis, formerly known as climate change. Folks knew it existed and was an issue, but when the ongoing events contributing to it became even more extreme, its name switched to reflect what’s really going on with our environment- a crisis â€“ thus also adopting a title that screams urgency, rather than a mild inconvenience.
In the security world, a parallel to this is the current state of patching and configuration management, which is getting increasingly worse over time. The number of enterprise endpoints is growing at unprecedented rates, with vulnerabilities also increasing non-linearly. When you couple new potential entry points for hackers to exploit with the fact that it takes 102 daysOpens a new window on average for vulnerability patches to be applied and tested, the attack surface is simply growing at a rate that should keep business leaders up at night.
The ineffectiveness is largely due to the fact that most organizations are still using legacy technologies that can’t deploy patches across enterprise ecosystems effectively and at scale, and security budget decision-makers continue to choose to allocate a hefty amount of resources to hire more people and new detection technologies. While both of these things are incredibly important, organizations have to realize that more effective and holistic patch management and vulnerability mitigation, both critical components of endpoint hardening, enables the business to significantly shrink the attack surface by limiting exploitable vulnerabilities.
Until decision-makers recognize that the current state of endpoint hardening simply isn’t cutting it, we’ll continue to read headlines in the news about devastating data breaches that could have been prevented if businesses were willing to rethink how they protect their environments from within.
As we head into 2020, here are three cyber hygiene basics IT organizations can adopt to proactively get a handle on the patching and configuration crisis.
1. Push the Patching Envelope
If you are sitting on the sidelines and letting your patching processes become outdated because you’re worried that quickly applying patches through automation is going to break something, you’re avoiding the problem.
The reality is, if you’re not patched within 24 hours for critical vulnerabilities with known exploitable code (zero-day, weaponized), it could be game over. If you don’t get closer to the edge, you’re not closing the gap to patching and are thus too exposed. Think about it â€“ would you sit around waiting to update your home security camera with your family’s safety on the line? Absolutely not.
IT managers should be pushing the patching envelope hard enough to the point where it could bring down a machine. If you don’t, you’re opening yourself up to someone who will â€“ and the consequences will be far worse than the minor inconvenience of a system being temporarily down.
2. Automate IT Operations
Many organizations still have IT operations that do not fit modern-day needs or processes â€“ for example, the decision to not migrate to the cloud despite an increasingly remote workforce. Additionally, we have a small number of people expected to be experts on so many different tools in the stack, but it’s unrealistic to expect them to be able to keep up.
Instead of being apprehensive to these changes, it’s time to embrace the benefits they offer. By automating and enforcing essential endpoint actions, applying critical patches, software updates and security configurations, organizations and their staff can better anticipate and respond to threats while maximizing the advantages that modern technology provides. These actions, if applied early, set an organization up for scalable success for future changes.
3. Shift to Results-Focused Metrics
We’re all familiar with security metrics like mean time to detection (MTTD), a well-established metric for how fast an organization can determine whether an incursion or breach is active in their environment. While MTTD certainly has its purpose, best in class security programs assume a state of continuous compromise, so why aren’t we focusing instead on a metric like mean time to harden (MTTH)?
Since research shows that it only takes seven days for adversaries to weaponize a vulnerability, organizations effectively have 72 hours to harden systems before they should expect to see new exploit techniques surface. When zero-days occur, the best-in-class response window is within 24 hours of the disclosure. This 24/72 threshold clearly defines a new standard against which IT organizations should measure themselves. By doing so, organizations will be able to adopt a state of continuous remediation, shrinking their attack surface to prevent attackers from having countless entry points into their organizations.
To ultimately prevent an attack, security advisories, updates, and patches need to be prioritized to ensure attackers don’t have a loophole to use. While the information above outlines some critical basics of cyber hygiene, there is always so much more to learn to protect ourselves. Cyber hygiene is a journey, not a destination. By being vigilant and diligent and adopting smarter cyber hygiene practices and benchmarks, organizations can put themselves in the best possible position to avoid a potentially catastrophic attack.