As poor vulnerability management threatens the business, time really is money

Dealing with new vulnerabilities quickly is crucial to minimise damage and organisations should maintain crack teams of patching specialists to quickly deal with new vulnerabilities as they arise, one security specialist has advised as reports suggest the surge in malware and phishing attacks continues to grow unabated.

Despite knowing the importance of patching, practical issues – for example, the inability to reboot production systems in flight – often compromises those efforts, SecureWorks chief intel threat officer Barry Hensley told CSO Australia in the wake of the WannaCry outbreak.

“Anyone who works in IT knows that sysadmins, network admins and others want to patch their stuff,” he said. “The problem comes in getting the support, time, and resources needed to deploy the patches in a timely fashion. Some of the traditional things, like having a team focused on vulnerability management, get lost.”

The logistics of patching represent a significant and engaging challenge for system administrators that can look beyond the perception that it is mere drudgery, added senior security researcher Alex Tilley.

“There are a lot of creative challenges in there to figure out complete ways to protect them,” he explained, “such as constructing networks so that each has its own control.”

Another challenge had emerged around the fact that many organisations were still affected by WannaCry despite having robust backup regimes in place. Recovery mechanisms can impose time penalties that affect the business, Hensley noted: “Even if you have backups, if it takes you 1 or 2 days to get back online, you just had a bunch of business events that had to be rescheduled – and that can push you back a week or more.”

A recent Aberdeen Group-McAfee analysis looked at the time cost of patching practices an found that a traditional patching approach requires between 220 and 660 vendor patches per year – representing a median of around 910 hours per year during which enterprise databases and applications are unavailable. This is extrapolated to comprise a median cost of traditional patching of around 4 percent of annual revenues.

The potential impact of downtime became eminently clear over the Queen’s Birthday long weekend as Westpac suffered a one-two attack in which its online services were brought down even as the bank was targeted by a major phishing campaign.

Email-based campaigns are rapidly increasing in intensity, with email-security firm Mimecast’s latest Email Security Risk Assessment finding that email impersonation attacks were up 400 percent and 22.3 percent of risky emails were bypassing email security. That equated to more than 10,000 missed emails with malware attachments within the test – representing an ongoing threat that needs to be managed as quickly as possible by any organisation.

Despite the continuing threat, the Aberdeen Group analysis found that half of breach detections took up to 38 days, with the mean of 210 days overall. This led to recommendations that businesses embrace technologies offering better identification capabilities – including pre-execution analysis of code features – and containment, which allows new malicious code to be executed and analysed without impacting system files.

The analysis also recommends the adoption of ‘virtual patching’ – in which vulnerability-specific protections are implemented upstream of unpatched systems, shielding the downstream systems from exposure while they are remediated in their own time.

Such an approach can be invaluable by buying time for vulnerability-management teams to do their work. Recent research, such as Proofpoint’s Human Factor Report 2017, has confirmed the immediacy of the threat: fully 48.6 percent of clicks occur within one hour of arrival, while 87.1 percent of malicious URLs were clicked on within a day of the email’s arrival.

Construction, mining, wholesale trade, accommodation & food services, and finance & insurance industries saw the highest click rates on malicious URLs, with 25.5 percent of clicks occurring within 10 minutes of the time that the carrier email arrives in their inbox.

To minimise the impact of these habits, organisations must implement specialised skills to aggressively manage patch management, as well as tools that can help in better identifying new threats as they occur. SecureWorks, for one, this week bolstered its Counter Threat Platform with AI capabilities that dynamically adjust severity ratings to improve incident handling: low and medium-level events, for example, can be escalated when they’re linked with a larger attack – helping response teams focus on faster remediation.

Speed improvements are going to be essential as the onslaught continues, SecureWorks’ Tilley warned. With combined threats like WannaCry becoming the new normal, “bolting together a few different vulnerabilities and exploits could mean that more than just the UK NHS are going to have a bad day.”