18 months since WannaCry: what’s your patching strategy?

Was WannaCry a one-off incident?

Last year’s WannaCry ransomware attack affected thousands of organisations across the globe. It targeted an exploit in IT systems called EternalBlue by encrypting data, and then demanded ransom payments.

WannaCry is thought to have hit over 300,000 computers in organisations such as the NHS, FedEx, Chinese oil companies, and Indian regional governments. Multinational giants were paralysed and oceans of data were destroyed. Shortly after the attacks, it was predicted that global recovery costs could run as high as 4 billion USD.

Vulnerabilities like this exist everywhere and are often unknown to their victims. But when WannaCry hit, a patch had already been released by Microsoft nearly three months before. That means that organisations had three months to install the patch to protect themselves and avoid this global disaster.

What is even more shocking is that in the following month, a subsequent attack (NotPetya) used exactly the same exploit. It attacked millions more endpoints. Organisations had STILL not patched their systems!

It’s clear that while attacks can impact any organisation, those most at risk are the ones that do not patch their systems quickly (or at all). Attacks especially affect those that subscribe to outdated security patching techniques like the ones used by Oracle and SAP.

What did Oracle and SAP learn?

The WannaCry attack has raised questions about Oracle and SAP security patching and their outdated strategies. Customers have to use stringent controls to apply patches to test systems, go through testing and promote patches through various environments before it’s protected. It’s an old-fashioned model that leaves customers open to attack.

These patches cost time and money to implement. This is why patches are put on hold until resources become available, or there is a specific business requirement for an organisation to patch its systems.

This method of security patching is out of date and completely reactive. It is dependent on the vendor identifying loopholes within its own code. Often, vendors identify these because one or more of their customers have already suffered an attack! Not only that, but the vendors only provide patches for the latest supported versions of their software. Almost all customers run a variety of older software versions and are happy with them, except for the lack of security updates from the vendors.

“Vendor security patching is like finding that you have a leaky dam and plugging the holes by sticking your fingers in them.”

Mark Smith, CEO Support Revolution

The Support Revolution solution

We put a fence-like protection up around your entire estate. When updates or patches are required, they are applied to the fence, protecting everything within it.

Support Revolution uses Trend Micro’s Deep Security solution (rated #1 in the Gartner 2017 Magic Quadrant for Endpoint Protection Platforms) which works in exactly this way.

How it works

Trend Micro Deep Security provides automated pro-active security designed to address the relentless onslaught of vulnerabilities on a daily basis. Deep Security is comprised of a security management component and a very small footprint agent that sits on each server (or in your Cloud solution). The manager holds a database of vulnerability signatures which it communicates to each agent. The agent monitors traffic on the network level and scans for known vulnerability signatures. It either reports incidents or blocks traffic.

As Deep Security is a rule-based system, new rules are published regularly, and downloaded to a console with a threat level. The customer then chooses which updates to apply and when. The deployment of new rules has minimum impact on the production systems. Therefore, the time between identifying a vulnerability and being protected is reduced from months to hours.

One example of this is the recent CVE- 2017-9805 Apache Foundation vulnerability which was identified in March 2017. Trend Micro released a new protection rule in the same month. Meanwhile, it took one of the mega-vendors six months to release a security patch.

Trend Micro Deep Security provides comprehensive security in one solution. It’s purpose-built to provide virtual patching so there are no security gaps or performance impacts. Support Revolution uses this solution (and our expertise with Oracle and SAP software) to provide a ‘best in class’ solution for all of your major IT systems.

Skip to content