16:30 CET, 5th September 2013 By Derek E. Brink, CISSP is vice president and research fellow for IT Security and IT GRC at Aberdeen Group, a Harte-Hanks Company.
As a guest speaker at Secunia’s launch of Corporate Software Inspector (CSI) 7.0, I wanted to call attention to four things that enterprises should know about patching.
The Australian Government’s Defence Signals Directorate (DSD) has been garnering some well-deserved accolades lately for its recently updated publication on Strategies to Mitigate Targeted Cyber Intrusions. Their analysis suggests that just four specific endpoint security strategies and controls would have successfully protected against at least 85% of the cyber intrusions that they responded to in the previous 12 months:
A result similar to the one generated by the Australian DSD’s analysis can be inferred from the excellent analysis of 855 actual incidents shared by Verizon Business, in their 2012 Data Breach Investigations Report. Their very clever “4 A’s” threat event framework — referred to as VERIS — uniquely classifies each potential event in terms of the Asset (what asset was affected), the Action (what action was taken on the asset), the Agent (whose actions affected the asset), and the Attribute (how the asset was affected) — resulting in a concise matrix of 315 distinct possible events. As shown here, 98% of the observed events were the result of malware and hacking, targeting endpoints (user devices) and servers.
Overall, 81% of all incidents leveraged hacking, 69% involved malware, and 61% used a combination of both. The simple point is that prompt patching of high-risk vulnerabilities in platforms, applications, and databases should be just as effective a strategy for the security of back-end systems as the Australian DSD found it to be for their endpoints.
In its research, Aberdeen routinely asks respondents about their current use, planned use and current evaluations of a wide range of IT Security technologies; the results for selected endpoint security technologies from a recent study of more than 160 organizations are shown here. As indicated by the light blue bars, all (100%) respondents have deployed anti-virus / anti-malware; more than 4 out of 5 have also deployed technologies such as email (86%) and web (82%) monitoring and filtering; 75% have deployed patch management; and so on.
Meanwhile, the blue and red lines which are superimposed on the light blue bars indicate the percentage of the leading performers (top 20%) and lagging performers (bottom 30%) from the study that have deployed these selected endpoint security technologies. In general, the leaders have consistently deployed these technologies to a higher degree than have the laggards – and by inspection, one can easily see by the gap between the two lines that patch management has the strongest correlation with top performance.
A simplified vulnerability management lifecycle includes three basic stages:
Unfortunately, each new day brings a new wave of threats and vulnerabilities to be managed, so these steps must be repeated on a continuous basis to manage vulnerability-related risks within acceptable limits. The top performers at vulnerability management are able to accomplish this while maximizing efficiency and minimizing total cost. Even this simplified lifecycle illustrates the continuous nature of vulnerability management.
Note that viral growth in user-managed endpoints that many organizations are currently experiencing only intensifies the visibility problem for vulnerability management, especially in comparison to traditional enterprise-managed endpoints. One critical difference is that the mature enterprise views vulnerability management as an essential function to be optimized, while the less mature enterprise typically views it as an unattractive burden to be done as time allows.
In addition to the four things to know about patching, you should take away these four key insights:
Secunia CSI 7.0 is in line with these best practices – it is designed to give you the what, where, when and how.
The press release announcing the launch of the Secunia CSI 7.0 :
Secunia launches the next generation of complete patch management – the Secunia CSI 7.0
CTO Morten R. Stengaard’s blog explaining the how the Secunia CSI 7.0 came to be:
Complete - flexible - unique – The Corporate Software Inspector-7.0 is here
More information about the Secunia CSI 7.0 and feature descriptions: