How to get IT to eat its vegetables
Rob Juncker, LANDESK
In the modern business world, security breaches have become so prevalent that no company is safe. Not only are security breaches growing in number, but they are also growing in scale. Several data breaches have impacted customer bases of 70 million or more. Odds are we've all been affected by data breaches at one point or another. And if we haven't, it's likely only a matter of time.
Most of the recent data breaches targeted known vulnerabilities, where patches already existed, and they were therefore completely avoidable. Unfortunately, patching can be a significant pain for organisations. Similar to eating our vegetables, it's something we know we should do, that generally yields good results but is still hard to swallow for various reasons.
Time constraints. Patching gone wrong. There are many reasons patching can leave a bad taste in IT's mouth. However, the benefits outweigh the concerns, and, when properly planned, companies can improve patch deployment to save millions — and keep their names out of the headlines.
Know the impact of a security update
Security updates come fast. The good news is that the majority of security breaches can be easily managed by minimising the number of administrators on the network. This limits the access an attacker could have, as most breaches will give the attacker access based upon the current logged in user.
For those breaches that aren't dependent on the access of the logged in user, make sure you know the severity of the patch and align that with your exposure. That way you can make intelligent decisions about what and how to patch. By limiting the number of administrators, this will make your life easier when it comes to handling these outlying breaches.
Learn the cadence of the process
Getting into a good rhythm for patching is crucial. Not only does it make everything else flow much easier, but it also ensures that you do not fall behind. Many IT teams wait months or years to patch, applying dozens all at the same time. This often leads to crashed systems and bigger headaches (perpetuating the cycle of patch avoidance). Implementing a consistent cadence will keep your system updated and make sure you have a measurable and real result.
Once you've established a pattern, have a good metric to measure your success. A great benchmark is to get 80 percent of your network patched in a two-week cycle (with the first week for testing and validation and the second for deployment). For critical updates, getting 90 percent in one week is a good target.
All customers, regardless of size, should have a plan for testing in place. The plan will vary from large enterprises, which have different environments and do phased rollouts, to smaller businesses where resources are tighter.
To achieve this pattern, first create a test pipeline for your IT environment. Have a process whereby you test patches and make sure that process exercises the patches thoroughly. Each environment is a little different and has different results — so it's critical to remember that even with testing things can go wrong.
Listen to the right sources
Trying to guard yourself from an attack is difficult to do in a silo. Find good sources of information and security guidance for the products that affect you most. Find RSS feeds and other notifications to keep you up to date as major security concerns develop.
You can find vendors and analysts reviewing updates and providing important information that may help you decide which updates to focus on and which can possibly fall to the back burner. You can find great sources of information straight from the vendor (Microsoft Security Response Center or Adobe Security Bulletins and Advisories), from your Patch Management Provider (Shavlik Patch Tuesday Webinar or Patch Day Round-Up) and from technical analysts throughout the industry (Greg Lambert's Patch Tuesday Debugged or follow #PatchTuesday).
Ensure your process covers all your machines
A hacker is looking for the weakest link, so if your patch process stops at critical servers, dig deeper. You should ensure that you patch servers, workstations and laptops, which commonly leave your environment and your perimeter defences — even the hypervisor your VMs are running on. Chances are you might be forgetting about some machines. Those are the ones that will get exploited, allowing a hacker to gain the foothold they need.
Have a contingency plan
HeartBleed, PoodleBleed and a host of other Zero Days occurred in 2014. Take an inventory of how your team reacted to each of these attacks. Did your patch process cover cases where out of band updates could occur and interrupt your business? If it does not include such contingencies, it should. Something as simple as a group identified to put their heads together to make a decision is more than some companies prepare for.
No matter how you slice, dice or mince it, there is a sweet taste in the victory that comes from having a healthy IT environment. Having this will give you the flexibility to focus on other key IT priorities, have happier users and a more productive workforce.Contributed by Rob Juncker, vice president of engineering at LANDESK