I recently wrote about a the 60 Minutes special on cyber security, and how a former chief of national intelligence didn’t believe the U.S. is prepared for a sophisticated attack that could bring down a major power grid. Opinions varied about the special itself, but the one thing people shouldn’t overlook is that cyber threats are real and that the infrastructure that protects our power grids needs to be defended.
The spotlight on this need continued last week when President Obama issued a statement saying December was Critical Infrastructure Protection (CIP) Month. Proclamations like these won’t change the world. Our systems won’t magically become secure, and most of the people responsible for these systems are already working hard to defend them.
That said, this proclamation adds to the increased awareness of the need for infrastructure protection against all attacks including cyber attacks. The key shift, especially when it comes to endpoint protection is the need for systems that can prevent attacks, not just detect them and remove them from affected systems.
The simple fact is that blacklist antivirus is no longer effective at preventing system compromise. Because of this, more sophisticated malware infections and viruses continue to exploit network vulnerabilities, undermining defenses that have protected networks through the years.
The combined urgent need for protection of our critical infrastructure combined with the diminishing effectiveness of patching and antivirus is driving increased awareness and acceptance of whitelisting in the energy industry. By strictly defining approved applications, whitelisting gives peace of mind and reduces the need for fire drill patching that is so commonplace across all organizations.
Thanks for the insight on Critical Infrastructure Protection Month. Insightful and agree that just because you declare a specific month “National Critical Infrastructure Protection Month” that things will not magically become secure. The US government as well as business communities need to elevate the level of awareness, educate on the current state of security and provide key steps to do a better job of protecting critical infrastructure, data and systems. While there is no way to be 100 percent secure, there are some great technologies out there to protect endpoints and critical information from cyber attacks. One point I’d have to disagree with you on is your statement around “diminishing effectiveness of patching.” Gartner recently released its security technology priorities for 2010 http://blogs.gartner.com/adam-hils/2009/11/30/a-sneak-peek-at-the-top-10-security-technology-priorities-worldwide/ where patch management (ranked #2) and vulnerability assessment (#2) were ranked at the top for priorities for 2010. The reason for this is while whitelisting and blacklisting as well as a slew of other endpoint technologies help address various security issues, patch management/vulnerability managmeent combined with security configuration address more than 90 percent of attacks. One technology cannot solve endpoint security issues alone. Organizations have to develop a multi-faceted protection strategy that includes vulnerability management at the core, data protection, endpoint protection (whitelisting) and AV. In addition, while the role of AV may be diminishing, a majority of organizations have some type of AV technology within their enterprise. The AV technology will continue to evolve and we’ll most likely see AV vendors add interesting technologies to augment AV such as whitelisting. But the reality is, business leaders and security vendors have the responsibility to provide the full scope of what that new threat landscape looks like and why organizations need the implement the basic principles of vulnerability management and endpoint security to effectively combat new threats and stay ahead of the curve.
Thanks,
Cindy Kim
Thanks for the comment Cindy.
While I agree with you that patch management and vulnerability won’t go away anytime soon (which is good news for you folks at Lumension), their relative importance in Gartner priorities is an indication of the sad state of our endpoint security strategy. When I talk about the “diminishing effectiveness of patching” I am speaking specifically to the inability of patching to protect against new threats. Patching is a reactive strategy that provides little to no real protection against new and targeted attacks and the fire drills that companies go through to rush a new patch out is evidence of true lack of protection for our endpoints. It is this problem specifically that whitelisting aims to address.
IT professionals are faced with an interesting dilemma, carefully test and deploy patches and leave yourself open to new attacks for a longer period of time, or rush out patches that can disrupt existing applications and cause other problems. Even in the fastest patch deployment there is still a significant window of exposure to attacks as well as systems that remain un-patched despite IT’s best efforts. The situation is even worse for the systems at the core of the critical infrastructure (e.g., control systems). Most control systems cannot be rebooted or can only be rebooted at specific times in very tight maintenance windows, making unplanned installations of operating system or application patches infeasible.
Will patching go away? No. Would the introduction of an endpoint security technology that actually offered protection against new vulnerabilities change the way that we deploy and maintain patches to our systems? Most certainly.
I would never imply that AV and patching will go away, but their role as the centerpiece of endpoint security strategy changes as we add true protection against new threats to our endpoints.
Apologies for the delay in my response. I do agree with you that it is a sad state of our endpoint security strategy, especially given the maturity of patch and vulnerability management solutions that have been out there for years. Organizations are still struggling when it comes to prioritizing and implementing the right protection strategy and by that I mean understanding the key technologies necessary to protect against new and existing threats. In our recent Worldwide State of the Endpoint Survey 2010, surprisingly, around 41 percent of the respondents said they did not have a PC Management Life Cycle tools in place, including patch management. This goes back to my point. Patch management while mature is still the first and last line of defense against new and emerging threats. The bad guys are taking advantage of existing vulnerabilities that companies have not patched to exploit. In your statement, you said patching is a reactive strategy. I disagree. I think if organizations have the right process in place, it can be proactive as most bad guys exploit known vulnerabilities so if companies do their due diligence when it comes to plugging all the known holes, they can remain ahead of the bad guys. However, this is not enough. With zero-day exploits becoming much more common, organizations need more than just one technology to solve all their problems – they need a layered approach – which should include application whitelisting and patch management as their foundational layer.
Thanks again for the discussion, Cindy. You make great points, and I agree with many of them. At a minimum, we agree on two fronts: the need for application whitelisting and the best-practice of patching.
On the first point, companies need application whitelisting to stop any malware (known or unknown) that enters computers through unknown or unpatched vulnerabilities–or via all the OTHER ways to deposit it (e.g., drive-bys). Patching only stops one of many, many ways for the code to enter the computer.
On the second point, I agree that it is just good common sense to patch known vulnerabilities. Why leave a door open if you don’t need to do so? Patching is a best practice discipline. I do believe that anything done in haste is begging for trouble, so I do believe that patches should be thoroughly tested before being deployed and that “emergency” patches should be avoided whenever possible.
Where we differ is on our definitions of “proactive”. When I said that patching is reactive, I meant that you have to wait for a vulnerability, wait for the patch, test the patch and then deploy it. It doesn’t proactively stop anything. You may ultimately stop an attack, but patching isn’t proactive in my book.
Thanks again! Great discussion.
Toney, thanks for the great discussion. I’m glad we agree on two fronts and on the reactive front when it comes to patching, in that manner yes I see your point. On a side note, I frequently write about blogging, especially around executive blogging and I have to say how impressed I am with your blogs and consistency. Keep up the great work.
Thank you for the kind words, Cindy. I think the market has evolved–largely supported by social media–into one that rewards executives that interact directly with the market. I love listening to other’s opinions and engaging in open discussions/debates like we’ve been having. Everyone–customers, analysts, customers, employees and even competitors–are all far better off from those interactions.