Modern cyber attacks are targeted, stealthy and evasive. Cybercriminals commonly attempt to penetrate enterprise networks by exploiting vulnerabilities in applications, web browsers and operating systems. The best defense available to enterprises is to rapidly patch these vulnerabilities -- or is it?
Patching is costly and risky, and it can disrupt ongoing business activities. Clearly, this conundrum creates tension between IT teams, security departments and management. Can enterprises achieve a healthy balance without compromising their cyber security?
Software Vulnerabilities are here to Stay
As software becomes more advanced and complex, it is impossible for programmers to eliminate all potential weaknesses in their code. These flaws become a playground for hackers to exploit. In spite of programmers’ efforts and the use of vulnerability scanning tools, myriads of new vulnerabilities exist each year. Even worse, Zero Day attacks that utilize new, unknown vulnerabilities are constantly unveiled.
To exploit a vulnerability and have a greater chance of "success", cybercriminals need intimate familiarity with the application they want to exploit. These attackers will typically seek applications widely used by employees in the targeted organization. This explains why most advanced attacks utilize common applications such as Adobe Acrobat, Adobe Flash, Microsoft Office and various web browsers. Hackers find it easy to get their hands on these applications and chances are high the users they wish to target are using one or more of them.
The Pain of Patching
Traditional security tools, technologies and processes cannot prevent malware and Advanced Persistent Threats from exploiting unpatched security vulnerabilities. Software vendors, as they become aware of new vulnerabilities, work rapidly to remediate them. This results in a continuous stream of security patches sent to their customers.
Patching software in an organization is a complex task. It requires careful planning, execution and validation. In some cases, it involves halting and rebooting a machine, thus interfering with employees’ work or business processes that run on a server. Sometimes the patch itself causes a conflict with other applications running on the machine. For all of these reasons, patching requires a lot of attention and careful coordination between IT and security personnel.
In short, software vendors are constantly creating an immense number of new patches to cover their vulnerabilities. Furthermore, security and IT teams face an endless (and ever-increasing) burden of executing those patches. The result is patching happens intermittently -- if at all -- because IT and business operations cannot tolerate the potential operational impact security patching represents.
As one Chief Information Security Officer of a large financial institution summarized:
All companies have a massive debt snowball that continues to grow in terms of unpatched security vulnerabilities on IT assets. The result is IT and Business Operations continue to be negatively impacted by exploits of unpatched vulnerabilities that increasingly extend beyond operational uptime, performance and availability. It eventually results in brand damage, regulatory fines, penalties and legal actions that hurt the company on a larger and long-term scale. This erodes market and consumer confidence in the brand, its products and services. This also impacts revenue retention, revenue acquisition and general growth and stability of the company. Added to all this is the potential theft and loss of intellectual property and competitive advantage in the marketplace.
In Search of Security-Business Balance
A true security-business balance can only be reached with a solution that mitigates the risk of unpatched security vulnerabilities. With this type of solution deployed, companies will not have to rush into rapid deployment of patches and can plan cost-effective patch roll-outs with minimum business disruption.
Imagine a solution that prevents the damage of attacks, reduces the pressure for urgent patching, helps avoid the risk of the patching process causing unplanned IT or operational impacts, and mitigates the risks the unpatched vulnerabilities represent.
For such a solution to be effective it would need to have the following attributes:
Achieving all of these attributes in one product is challenging, yet a new breed of security solutions take a fresh and different approach. CISOs and IT managers should carefully select such tools to effectively and efficiently protect enterprise assets while maintaining and patching systems in a strategic and unobtrusive way.
This article first appeared on betanews.com.