By George Mina
On Friday, a group of unknown threat actors carried out one of the largest cyberattacks of its kind, which infected hundreds of thousands of computers in 150 countries. The ransomware, known as WannaCry, exploits a Microsoft Windows OS vulnerability that was patched in Microsoft’s Security Bulletin two months ago. The universal advice was straightforward: Update your Windows systems to include the latest patches to prevent attacks.
The idea of employing basic endpoint hygiene to keep your data safer seems simple, so why has WannaCry been so damaging? The answer may lie in the hidden complexities found in effective patch management.
The Patch Management Conundrum
The nuances of effective patch management run much deeper than simply having a system administrator push out patches or relying on inconsistent vendor-supplied mechanisms. Because of organizational silos, it takes most IT departments weeks or even months to deploy patches throughout their highly distributed environments. In fact, it can take organizations several months to even come close to achieving complete patch compliance.
The patch management conundrum raises questions that many organizations may find difficult, if not impossible, to answer. For example:
- How should an organization deploy critical out-of-band patches, such as MS 17-010, that arrive urgently and off the routine patch schedule?
- How can system administrators keep track of patches in an environment with thousands or hundreds of thousands of highly distributed endpoints running a variety of operating systems (OSs) and applications?
- How long will the patching process take from start to finish, and how will system admins confirm that every endpoint in their infrastructure remains properly patched?
- How can patches be deployed without interfering with the end-user experience and productivity?
The inability to address these fundamental questions is a key reason why attacks such as
WannaCry are successful, even when there is a patch available. Most endpoint tools are
challenged to address these kinds of attacks in three very important ways:
- Insufficient visibility. Incomplete visibility provides poor context to discover and report on the current state of all endpoints (including unmanaged ones), especially in highly distributed environments.
- Sporadic endpoint hygiene. Manual processes and cumbersome scan-and-poll-based mechanisms reduce the ability to effectively prioritize and respond to the most critical vulnerabilities.
- Silos of teams and tools. Security teams and IT operations are typically siloed, leading to fragmented defenses that are slow respond.
A Better Path Forward: Five Steps Toward Effective Patch Management
Fortunately, these hurdles are surmountable. IBM BigFix removes these obstacles with a
comprehensive solution that is purposefully built for highly distributed, heterogeneous
environments. With this solution, organizations can finally see, change, enforce and report on patch compliance status in real time, on a global scale and through a single console.
- Research – IBM tracks patch releases from OS, anti-malware and common third-party application vendors, and makes them available to users, eliminating the need for time-consuming patch research processes. Users can simply open up the BigFix console to view the latest updates and select patches for deployment. Within 24 hours of the disclosure of the WannaCry vulnerability, BigFix had a fixlet for MS17-010, as well as previously unsupported Microsoft OSs, which were made available to all BigFix customers.
- Assess – With BigFix, a single intelligent software agent is installed on all managed endpoints to continuously monitor and report on the endpoint state, including patch levels, with a management server. The agent also compares endpoint compliance against defined policies, such as mandatory patch levels and standard configurations. This information is especially critical during emergency patch scenarios such as MS17-010 because security analysts must rapidly quantify the overall magnitude and risk from the related exploits.
- Remediate – Since BigFix customer servers automatically download the latest patch updates, endpoints can immediately begin to assess whether a particular patch is needed without the need for operator intervention. The endpoint agent receives the new policy and immediately evaluates the endpoint to determine whether the patch is applicable. If so, it downloads and applies the patch, reporting back success or failure within minutes.
- Confirm – Once a patch is deployed, the BigFix agent automatically and continuously reassesses the endpoint status to confirm successful installation, immediately updating the management server in real time. This step is critical to support compliance requirements, which require definitive proof of continuous patch installation. Closing the loop on patch deployment enables organizations to ensure patch compliance in a way that is smarter, faster and much more reliable.
- Enforce – The BigFix intelligent agent continuously enforces patch policy compliance, helping to ensure that endpoints remain updated. If a patch is uninstalled for any reason, the policy can specify that the agent should automatically reapply it to the endpoint as needed. Through the same
centralized console, endpoint compliance status is reported in real time, allowing IT administrators to easily monitor the state of all managed endpoints in the organization. Administrators enjoy full control of their endpoints, enabling them to handle significantly more work than other products that require a lot of manual intervention and introduce significant time lags into the reporting process.
These five steps have enabled BigFix to deliver real and effective patch management against this massive ransomware attack and the diversity of endpoint vulnerabilities that exist today. It provides an automated, simplified patching process that is administered from a single console and delivers real-time visibility and enforcement to all endpoints, on and off the corporate network. The result is a first-pass patch success rate of more than 98 percent, the reduction of patch cycle times from weeks or months to minutes or hours, and significant cuts in operational costs.
Industry Leaders Pushing Endpoint Hygiene
While the WannaCry wreckage is splashed across news headlines, some security thought leaders are taking this opportunity to remind their clients about the importance of endpoint hygiene .
When it comes to mitigating threats such as WannaCry, CBI Cyber Security Solutions
emphasized the importance of “doing things right, timely execution and using the right tools.”On the day of the WannaCry attacks, one of the firm’s customers wrote in an email:
I just wanted to let you know the help we had with BigFix for the ransomware that caused havoc today.
Our Information Security alerted us to the issue, and within minutes we had a list of servers still needing the patch and were able to quickly determine that no files were present on any server. It definitely reduced any panic we might have had.
Meanwhile, Champion Solutions Group advocated basic hygiene for all IT professionals. Dan Powers, the company’s senior software engineer, wrote, “My clients were well on their way to a good night sleep, not having to worry about the latest ransomware, called ‘WannaCry,’ by leveraging BigFix and applying good computer hygiene.”
BigFix ‘Just Works’
For two decades, IBM BigFix has provided clients of all sizes with best-in-class multi platform solutions for endpoint detection and response (EDR), enterprise wide asset discovery, patch management, software distribution, usage analysis, configuration management, security and regulatory compliance, and more.
Thousands of clients and over 100 million endpoints later, our clients still say the same thing about BigFix: “It just works.”
To learn more, read the Forrester Research report, “The Total Economic Impact of IBM BigFix Patch and BigFix Compliance,” and participate in IBM Security’s webinar series on
orchestrating your security defenses.