Another Day Another Patch

Here we go again. A really bad vulnerability in Microsoft products allows an attacker to gain complete control of a machine over the network, and every wannabe pundit tweets or posts “Patch Now!”

Yes CVE-2017-11937 is a really bad one. It uses a vulnerability in Microsoft’s own anti-malware product, the Malware Protection Engine, to bypass everything.

So are the eager cyber experts right? Should you patch now? Certainly, your desktops should be patched. At most, each user will be down for a couple of hours as you patch or re-image their machines. No big deal. But what about all those servers?

I too once issued frantic warnings to “Patch Now!” I was at Gartner and a new vulnerability in Solaris came out. In my green enthusiasm I issued a special alert that went to every Gartner client. I started to get calls. The content of those calls where like this:

“You idiot. We have 2,000 servers. We have to schedule down time in off hours for each one. Then we have to install the patch and test each and every production application to make sure something did not break. It takes months to patch that many servers. Before we are done there will be new vulnerabilities and if we followed your advice we would have to start over.”

I learned my lesson. Patching is hard to do.

Over the years, data centers learned how to roll out network defenses against things that attack particular vulnerabilities. Vendors called this “digital inoculation.” Now they could address vulnerabilities quickly and relatively painlessly. They still had to test the signatures in their IPS systems and deal with false positives, but they could buy time and save on patching until the next upgrade cycle.

The move to virtual machines (VMs) and the cloud is also supposed to help. So-called elastic computing allows you to build a new image and roll it out automagically, switching the workload to the new VMs while the old ones are vaporized. I am sure somebody is actually doing this, but I have not talked to them.

I would suggest that if you rely on signature-based antivirus (AV) and patching, you will always be spending weekends updating desktops, laptops, and servers.

Wouldn’t it be better to have a system that does not succumb to exploits against new vulnerabilities? There are a dozen solutions out there that will do this, several of them high flying and valued by investors at $1 billion+. How much is time worth to you? If you deployed a modern (need I say next-gen?) endpoint protection solution, you could buy yourself breathing room.

Yes, you should test to ensure new exploits against new vulnerabilities do not work against these systems. Often the vendor will scramble to be the first to announce their own testing results. It is a great marketing opportunity for them, so let them do the work.

There is also the fact that in the 17 years since I first exhorted Gartner customers to “Patch Now!” there have been thousands of successful worms, viruses, and targeted attacks against even old vulnerabilities, let alone brand new ones. Despite the exhortations now yelled by the new generation of cyber experts, people still don’t patch. They do nothing. Dire warnings obviously do not work.

If patching really was the answer, there would be no ransomware stories. Don’t even get me started on backup and recovery, which would make ransomware an annoyance instead of a disaster.

But the real reason for moving to advanced endpoint protection is because yesterday you were completely exposed to this vulnerability. By the end of the day maybe your traditional AV vendors will have signatures against new exploits, but yesterday they had nothing to work with. And there are a thousand more undiscovered - or even worse, unpublished - vulnerabilities in your systems.

If your heart sinks every time you see “Patch Now!” it is time to look for a better way.

The goal is resilient systems, ones that are not so fragile they have to be repaired constantly. Systems that are impervious to attacks even against those zero-days. It’s not magic. It’s real, and the need for resilient systems is the new reality.

Of course, we must get better at patching and patching sooner, as we now find ourselves in a new era of classic Remote Code Execution (RCE) vulnerabilities and related exploits.

Because patching is indeed hard in many instances, you must leverage every other advantage possible and protect against the payload/dropper aspect of an attack and/or memory/script vectors. But the two are not orthogonal, so an advanced endpoint protection solution will buy more time and mitigate risk. It does not alleviate the need to patch, but it enhances resiliency.