Organisations who are on top of their patching processes often spend weeks each month patching urgent vulnerabilities and/or resolving any unforeseen impacts they have on systems. They often complete these just in time for the next month when they must do it all again.
With organisations often resource constrained, is it the best use of their cyber security/technology teams’ time to spend most of their month patching systems? I believe it isn’t.
Many organisations who are resource constrained have also not implemented strong preventative controls due to a lack of time, particularly the more difficult (but extremely valuable) ones like Application Control and Network Segmentation. I’ve spoken to many peers who haven’t implemented these, and the sentiment is remarkably similar from each:
“We haven’t had the time”
“We’re still trying to get on top the basics like our patching right now”
“We’ve got bigger fish to fry. We’ve still got Windows 7 machines in our fleet (or XP!)”
While patching most definitely has its place, if we look at this from a risk/benefit analysis perspective, we see that the scale is skewed. There is too much time being spent on the Band-Aid fix of patching. In fact, so much time is spent patching that there is little of it left for fixing the fundamental underlying issues. This poses an interesting thought:
If an asset is barely exposed to other assets on your network, and cannot run any file without explicit review and approval, how necessary is it to patch urgently?
If the assets were network segmented appropriately and had enforced application control, a zero day becomes a ‘let the automated patch cycle run and sort it out in due course’ situation instead of a ‘down tools and patch immediately’ situation.
To illustrate this, let us look at one of recent history’s most notable attacks & critical vulnerabilities and how they would stack up against modern, Zero Trust-aligned controls.
Wannacry Ransomware (2017)
Wannacry Ransomware (2017) – This ransomware spread using the EternalBlue and DoublePulsar exploits, and utilised port 445 (SMB) combined with a payload DLL file that wreaked havoc in organisations around the world. Most were spending the next week, day and night, patching their workstations and servers. Consider if those organisations had segmented their networks. There would only be a handful of endpoints that had port 445 open. Therefore, the patch could have been targeted at only exposed assets, turning it into a couple of hours’ work instead of weeks. Further, most flavours of malware using this exploit required the dropping and execution of a DLL payload on the vulnerable endpoint. With application control correctly configured in enforcement, any unknown DLLs would be blocked without exception.
A Practical, Prevention Based Approach
Application Control and Network Segmentation are a key part of a sound Zero Trust strategy, and we always prioritise them over patching on our Zero Trust strategy roadmaps with clients. Zero Trust is weighted heavily towards preventative controls that mitigate risk based on the behaviour of attacks whilst allowing an organisation to remain agile. This way, your teams can spend more time on uplifting organisational cyber resilience and productivity, instead of being stuck in their own, never-ending patch cycle. This is great for team retention as well, as teams gain more satisfaction and fulfillment from rewarding tasks like security architecture improvements and face less incident response as a result.
So, if you relate to the above situation – perhaps it’s time to put your patching projects on the back burner for a few months while you work on the underlying foundations: focusing on network segmentation and application control, starting with your high value assets. These two controls used to be hard to implement, but modern technologies allow this to be done in record time.
Don’t get me wrong, patching is still an important part of an organisation’s defences, but make sure it is not standing in the way of establishing strong preventative controls like Network Segmentation and Application Control. This is just the beginning though – reach out if you want some help to prioritise your controls with a Zero Trust strategy and roadmap.
How can Sekuro help?
Sekuro’s Zero Trust Strategy has been created by our team to zone in on the areas which provide the most prominent cyber security benefits, whilst being pragmatic and realistically achievable for all organisations. It was devised by cyber security professionals with years of hands-on experience in cyber security engineering, architecture and executive leadership across both private and government sectors globally.
Sekuro’s Zero Trust Strategy is a comprehensive, rational, technical cyber security review that will include detailed interviews and assessments of your organisation against 140+ security controls, which takes approximately two weeks to complete. Speak to us today on how we can help your organisation on their Zero Trust journey, and further streamline your cyber security program using our Zero Trust Strategy.
Customer CISO, Sekuro
Lee is an experienced Cyber Security professional with 16+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.