Matthew Rosenquist, Cybersecurity Strategist and Evangelist at Intel Corporation, shared a post on his LinkedInfeed discussing Intel’s approach to security with the Intel Management Engine (Intel ME). His comment accompanying the linktouched upon the subject of patching, stating “Part of modern product security is to design them with the ability to be patched and updated to protect against future unknown threats. It is both a security and economically sound model. Being able to continually protect our devices is much better than the alternatives: choose to replace products must faster due to security vulnerabilities or continue to use exploitable technology which may lead to our victimization. Would you buy software which couldn’t be patched?”
While Mr. Rosenquist mentions that patching is important, he also calls it a sound model, better at least than having to buy new software. But the question is, is it really that sound? And the only other option he offers is to buy new software, but that’s just not the case. There is another option, one which tens if not hundreds of thousands of enterprises around the globe choose—consciously or not. And that is to run unpatched software, including End of Life (EOL) products, which by definition are products that “can’t be patched” as vendors no longer offer updates for them.
These systems can be found pretty much anywhere. For example, there are no few ATMs in the world still running on Windows XP. And a screenshot reportedly smuggled from an Iranian nuclear reactor was at the time running on a very outdated version of Windows, what apparently made it vulnerable to the Stuxnet virus.
The issue of patching may be the single largest day-to-day challenge an organization’s IT department faces, and one of its most painful problems.
A Never Ending Game of Whack-a-Mole
One of the biggest issues with applying patches is simple logistics. We can look at the world of web servers as an example. A large enterprise running an e-commerce store may be running hundreds of mission critical web servers. In addition to those servers, they have to maintain a wide array of equipment including routers, hypervisors, database servers, security products such as firewalls, and so much more. Each one of these items have one or more patches that need to be regularly installed.
In fact, IT staffs are inundated, literally drowning in platforms that constantly require updates, and not just security updates. Functionality updates are just as important, large and small. Large customers are a primary driver of functional changes which are delivered as part of patches. Sometimes functional fixes are even more important than security fixes. Take for example the Y2K or other clock related issues which, while not necessarily a security vulnerability, had a huge impact on operations. There were even fears it could have started a nuclear war.
Any single one of the platforms we mentioned require regular patching, which is time consuming and difficult, and installing patches on enterprise equipment is no small task. They need to first be installed in staging or test environments where they can be verified as safe before being pushed to production. Patches come out regularly, depending on the product once every three, two, or even one a month. There are critical updates for zero day exploits and other issues that need to be tested and installed. There are recalls, and even patches for problematic patches.
Patches are released much faster than companies can run them through staging, testing, and push them to production. With the dozens of products and sometimes tens of thousands of servers being maintained by the average IT department, they have no chance of keeping their products properly updated with conventional patching.
Saying few organizations would likely buy software which couldn’t be patched is missing the point. Companies have already bought software they can’t update, if they have that product long enough and can’t upgrade for whatever reason. And it’s almost guaranteed that every company is running a large number of systems that aren’t properly patched.
Regarding our web server example, there is a solution, and one that can help organizations reduce the risk of their servers being vulnerable to dangerous exploits—even if they don’t regularly install patches. It’s called Virtual Patching and offered by the Imperva SecureSphere Web Application Firewall (WAF).
SecureSphere WAF can import vulnerabilities from a number of popular web scanners including IBM AppScan, HP WebInspect, NTO Objectives, Cenzic, WhiteHat and Qualys.
Once vulnerabilities have been imported into SecureSphere, users can mitigate vulnerabilities using virtual patches, or security policies specially constructed to prevent threat actors from exploiting vulnerabilities by monitoring traffic and blocking. Vulnerabilities are managed in the Vulnerability Workbench which allows you to track them, see their details, assign them for handling, manage, and mitigate them.
Set Your Team Free
Trying to keep your servers updated with the latest patches is a cumbersome and seemingly impossible task. It requires tracking, prioritization, coordination and a huge amount of time, effort, and money. Being able to patch systems virtually without having to actually make changes to servers themselves can eliminate much of that overhead and save expensive man hours, even if your product has reached End of Life.
For web servers, there is a solution. Virtual Patching is a time and money saving strategy that can help IT teams move past the overwhelming storm of never ending patches and allow them to focus on other important tasks. For more information on Virtual Patching, see theImperva SecureSphere Web Application Firewall (WAF).