HAPPENING NOW: Exchange Server Hack Highlights Broad Failure of Patch Management ProcessesBy Drew Robb
By Drew Robb
Patch management is supposed to be one of those things that is routine, standard, and up to date. Yet the recent zero-day attack that exploited a Microsoft Exchange security hole highlighted the fact that all is not well in the land of patch management.
You would think that when Microsoft announced an emergency patch on March 2 to plug four security holes in Exchange Server that any organization using Exchange would have jumped on it. But a week later, Microsoft noted that it was still seeing plenty of instances of cybercriminals taking advantage of unpatched systems one. That’s why it provides a feed of observed indicators of compromise (IOCs). It provides attack surface details, threat actors involved, and various ways to fix the problem.
At this time of writing, Microsoft cloud services for Exchange 365, Teams, and other platforms are suffering a major global outage. It remains to be seen if this is related to earlier failures of users to patch their systems.
Sluggish Patching to Blame?
How could it be that so many companies either missed or ignored the warning and failed to install the patch? After all, Microsoft released it at the beginning of March.
Ashley Leonard, CEO of patch management and vulnerability scanning vendor Syxsense, said that sometimes patches sit in a queue behind other patches. Another reason for delay might be lack of automation.
“Organizations must add more rigor and automation to patch management processes,” said Leonard. “There is no place for complacency when it comes to prioritizing and installing updates and patches to fix gaping security holes.”
The devastation caused by zero-day attacks makes it clear that hackers and cybercriminals are alert to the slightest chink in security defenses. IT needs to match that level of vigilance and demonstrate it in patch management as well as security in general. Therefore, there is no time to lose in installing patches, particularly those flagged as urgent due to the security repercussions.
Areas to watch out for include lack of prioritization of patches. As new ones come in, IT works its way through them on a first come, first served basis. Urgent patches might be delayed by while IT spends time distributing a patch that installs a new font or makes a minor change to a template.
Testing is another area of bottleneck. Sometimes organizations are so careful with patch installation that the process of testing them can slow distribution down considerably. Therefore, favor patch management tools that offer patch rollback to return devices to the state they were in before a faulty patch was installed.
Manual processes, too, might be the culprit. If IT is manually figuring out how to prioritize, distribute and install patches across the organization, the patch may be installed too late to avoid compromise. Parts of the organization may be missed in the rush to deal with a threat. Errors are inevitable.
Automated Patching Needed
With a great many endpoints to manage, automation is needed to bring patch management up to the speed of threat actors. Good patch management tools bypass the need to write scripts, centralize management on one screen, and take care of distribution efficiently. For example, it is possible to automate complex, multistage tasks such as a patch being sent to all VM guests, rebooting them, then patching the host and performing a separate reboot.
IT personnel tend to resent the drudgery of such tasks. It is best not to burden them with manual processes or lengthy testing protocols that place undue delays in responding to security alerts. Further, patch management is one of these activities like standing guard on the castle walls. As countless long nights pass within incident, those on patrol gradually pay less attention to their duties. Automation backed up by streamlined organizational processes is the best way to ensure patches are installed in a timely manner.