18 months since WannaCry – what’s your patching strategy?
Was WannaCry a one-off incident?
Last year’s WannaCry ransomware attack affected many organisations from both the public and private sectors across the globe. It targeted an exploit in IT systems (EternalBlue) by encrypting data and then demanded ransom payments.
WannaCry is thought to have hit over 300,000 computers in organisations as powerful and diverse as the NHS, FedEx, Chinese oil companies and Indian regional governments. Multinational giants were paralysed and oceans of data were destroyed. Shortly after the attacks, it was predicted that global recovery costs could run as high as US$4 billion.
Vulnerabilities like this exist everywhere and are often unknown to their victims. But when WannaCry hit, a patch for the vulnerability had already been released by Microsoft nearly three months beforehand. That means that organisations had three months to install the patch to protect themselves and avoid this global disaster.
What is even more shocking is that the following month, a subsequent attack (NotPetya) used exactly the same exploit to attack millions of more endpoints. Those organisations had STILL not patched their systems!
It’s clear that while attacks can impact any organisation, those most at risk are the ones who do not patch their systems quickly (or at all) or those who subscribe to out-dated security patching techniques like the ones used by Oracle and SAP support.
What did Oracle and SAP learn?
The WannaCry attack has raised questions about Oracle and SAP security patching and their outdated strategies. The stringent controls that customers put in place to apply patches to test systems, go through testing and promote patches through various environments before the live system is protected is an old-fashioned model that leaves customers open to attack.
These patches cost time and money to implement within organisations, as they have to go through these intensive testing and implementation cycles. This means that patches are often put on hold until resources become available or there is a specific business requirement for the organisation to patch their systems ASAP.
You can imagine how long some organisations wait before patching…
This method of security patching is hopelessly out of date and completely reactive – it is dependent on the vendor identifying loopholes within their code. Often, vendors identify these because one or more of their customers has already suffered an attack! Not only that, but the vendors only provide patches for the latest supported versions of their software. Almost all customers run a variety of older software versions and are quite happy with them, except of course for the lack of any security updates from the manufacturers.
“Vendor security patching is like finding that you have a leaky dam and plugging the holes as and when they appear by sticking your fingers in them” — Mark Smith, CEO Support Revolution
But there is a solution. It’s obvious really when you think about it. You put in a new dam upstream of the old leaky dam!
The Support Revolution solution
In IT terms, our dam means putting fence-like protection up all around your systems to protect them. Then when updates/patches are required, they can be easily appled to just that “fence”, therefore protecting everything within it.
Support Revolution’s “Advanced Security” is based on Trend Micro’s Deep Security solution (rated #1 in the Gartner 2017 Magic Quadrant for Endpoint Protection Platforms) which works in exactly this way.
How it works
Trend Micro Deep Security provides automated pro-active security designed to address the relentless onslaught of vulnerabilities on a daily basis. Deep Security is comprised of a security management component and a very small footprint agent which sits on each server (or in your cloud solution). The manager holds a database of vulnerability signatures which it communicates to each agent. The agent monitors traffic on the network level and scans for known vulnerability signatures and either reports the incident or blocks the traffic.
As Deep Security is a rule-based system, new rules are published regularly, downloaded to a console with a “threat level” and the customer then chooses which updates to apply and when. The deployment of new rules has minimum impact on the production systems, which means the time between identifying a vulnerability to being protected is reduced from months to hours.
One example of this is the recent CVE- 2017-9805 Apache Foundation vulnerability which was identified as a vulnerability in March 2017. Trend Micro subsequently released a new protection rule the same month; it took one of the tier one vendors six months to release a security patch mitigating this vulnerability.
Trend Micro Deep Security provides comprehensive security in one solution that is purpose-built to provide virtual patching so there are no security gaps or performance impacts… And Support Revolution’s Advanced Security uses this solution and our expertise with Oracle and SAP software to provide a “best in class” solution for all of your major IT systems.