How Security Automation Can Reduce Patch Management Cycle Time And Risk

20 Jul How Security Automation Can Reduce Patch Management Cycle Time And Risk

By Tom Young, Executive Vice President of Worldwide Sales

Ask any Security or IT professional and they will tell you that patch management is a never-ending process of identifying and remediating ongoing vulnerabilities that often lead to security breaches. Spectre and Meltdown are prime examples of recent vulnerabilities that have severely impacted the Healthcare industry, according to a report by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) referenced by DataBreach Today
( “These vulnerabilities … allowed malware to bypass data access controls and potentially access sensitive data,” the OCR report explains, before the article goes on to highlight 3 key factors that make patching so difficult:

1. Application Compatibility

Commercial or custom applications are often affected by security patches to underlying OS’s or middleware. It takes time for external vendors or internal development teams to test the impact of new security patches on their applications and ultimately roll-out newly supported versions or compatible updates. This delay creates a common barrier to effective patching, leaving critical infrastructure for some legacy applications unpatched due to stability concerns or lack of vendor support where the application can’t be properly tested, modified and updated.

2. Patch Testing & Rollback

Application compatibility concerns are responsible for many enterprises requiring security and IT teams to test patches prior to applying them in production. This involves replicating the production environment in order to apply the patch in a sandbox environment and then testing the applications sufficiently to ensure there are no issues. A backup of the production environment has to be made before applying patches in production and then testing in production to ensure no issue arise. If an issue is discovered, the production system change must be rolled back, and the system restored from the last known good backup.

2. Change Control

In order to expedite the patch application process, applications may incur unscheduled downtime. However, Business Service (e.g., application) owners want to avoid downtime during critical business hours at all costs. Narrow change control windows can hamper the ability of IT teams to patch systems quickly, particularly given the number of necessary steps outlined above. The change control window may be too narrow to accomplish all the necessary steps, requiring an exception to be made, which must go through a series of reviews and approvals. Every hour is critical in the world of on-demand, 24×7 access, and certain network-enabled devices in a healthcare facility or hospital are unable to be patched until they’re not in use by/for a patient (assuming they can be patched at all).

Take a Guided Tour

Complete the form to schedule a demo of Syncurity’s award-winning IR Flow Security Operations and Incident Response Platform.

SOAR to the Rescue

So, if patch management is so painful, how can Security Automation be used to reduce response time and improve patching efficiency?

Gartner has defined Security Orchestration, Automation & Response (SOAR) as technologies that enable organizations to collect security threat data and alerts from different sources, where incident analysis and triage can be performed leveraging a combination of human and machine power to help define, prioritize and drive standardized incident response activities according to a standard workflow. SOAR tools allow an organization to define incident analysis and response procedures (a.k.a., plays in a security operations playbook) in a digital workflow format, such that a range of machine-driven activities can be automated.

By codifying the steps necessary to effectively identify vulnerabilities, assess potential risk and — when appropriate — remediate that risk, enterprises are able to implement a repeatable, auditable workflow that can be executed consistently, regardless of the skill level of the available analysts, application owners or IT resources supporting the infrastructure.

For example, a SOAR platform can be used to expedite the patching use case outlined below. Note that the DECISION points listed could be manual, automatic, or derived through Machine Learning over time:

Step 1: An alert is received with a CVE that represents a known vulnerability from a trusted source (e.g., MITRE, EDR or Threat Intelligence Feed).

Step 2: The vulnerability is assessed for potential exploits using standard (e.g., CVSS) and non-standard methods (e.g., Cyr3con), such as third-party tools that monitor Dark Web and Hacker Forums and provide exploit probabilities for associated vulnerabilities.

Step 3: Query the Vulnerability Management (e.g., Tenable, Qualys) or EDR platform (e.g., Tanium) for an inventory of vulnerable systems.

DECISION: Determine level of risk associated with the vulnerability based on triage scores for each impacted system (if available CIA values).

  • High (definitely recommend expedited patching): Proceed to Step 5
  • Medium (need more context to determine what to do): Proceed to Step 4
  • Low (not enough risk to patch out-of-band): Stop

Step 4: Query the Vulnerability Management or Endpoint Platform source to gain more context of the impacted systems (e.g., recent potentially suspicious activity, other vulnerabilities, etc.)

DECISION: Determine if the level of risk has been elevated to “High” or deprecated to “Low” based on the additional context.

  • High (definitely recommend expedited patching): Proceed to Step 5
  • Low (not enough risk to patch out-of-band): Stop

Step 5: Prepare the patch either through a traditional package update or apply the CVE vulnerability to SecRule (which is published to a WAF) and send notification to the security analyst to inform them of the critical CVE, the package or the SecRule patch for the WAF.

Step 6: Create snapshots of the UUID ESX VMs to be patched, apply the patch either directly or schedule to deploy patches offline. When the host count of affected systems reaches zero, notify the SOAR platform and begin validating the status of system operations.

DECISION: Determine if there are systems with issues that remain “post-patch” and take the appropriate next step for each system:

  • No: Proceed to Step 8
  • Yes: Proceed to Step 7

Step 7: Revert to the appropriate UUID ESX VM snapshot(s) and notify the system owner to begin trouble-shooting any identified patch issues, then repeat Step 6.

Step 8: Validate the status of patches across all impacted systems (either through EDR (e.g., Tanium) or Vulnerability Management (e.g., Tenable, Qualys) platforms), compile a list of all impacted systems that remain unpatched and notify system owners to begin the escalation process.

Step 9: Once all impacted systems are patched and in the proper operational state, timestamp remediation activities and compile all post-incident reporting and statistics.

While patching remains one of the key barriers to more effective cyber security risk mitigation, the implementation of a standard, repeatable process through a SOAR platform can dramatically reduce the response time associated with executing patching and vulnerability management processes thus reducing the associated risk. Using a SOAR platform also ensures consistency and provides a metrics baseline that can be used for continuous process improvement. Enterprises interested in addressing this use case should consider evaluating SOAR platform vendors, while also identifying other high-priority use cases that could benefit from the automation of rote, manual tasks, the consistent application of defined processes and a significant reduction in the level of risk.

More importantly, this is just one of many use cases for orchestration and automation that enable a critical enterprise process. There are many more use cases, including DevSecOps, Physical Security, Asset Management, etc., and while few enterprises are ready to implement fully automated remediation now, almost all could immediately benefit from instantiating and automating these types of enterprise processes in a repeatable, auditable software platform.

Related Information

White Paper: Reduce Phishing in the SOC
White Paper: Addressing Analyst Fatigue In The SOC
Ebook: Stop Drowning In Security Alerts
Syncurity’s award-winning IR Flow Security Operations and Incident Response Platform
IR Flow Product Overview Datasheet (pdf)

No Comments

Post A Comment