EternalBlue and MS17-010 seem to be the gifts that keep on giving. With WannaCry raising a hue-and-cry, we should have seen frenetic patching and reduction in vulnerabilities. I remember well the days of worms ripping through vulnerabilities in wave from 15 years ago, and it feels like not much has changed in that time.
Now we have NotPetya.
WannaCry was stopped with a killswitch and thanks to the efforts of Amit Serper and colleagues (I’m looking at you, among others,Uri Sternfeld), we have a vaccine to stop Petya and new behavioral techniques to protect from new classes of MBR target threats and ransomware specifically. However, this begs the question of why these measures are needed. Don’t get me wrong -- I love to stop malware and its operators, but why are these threats still effective?
The adversary is adaptive and innovative. They will find a way around almost anything given time and effort, so it’s a given that we have to get good at adapting in a competitive, evolutionary race. We’re signed up to do that, but the adversary didn’t have to do much innovation this time around.
Forget that Petya and it’s stepchild seem to have wildly different motivations (more on that later). Forget even that they have a very different M.O. Why did we - as in what my friend Ron Moritz calls the “8th continent” - persist in being vulnerable?
Because we don’t patch.
It’s that simple. Is it because we as security practitioners don’t want to patch or even don’t know how? No. We know it’s needed. So why don’t we do it?
I suspect it’s a combination of a few things. First, we’re busy as CISOs and security practitioners implementing projects, showing compliance, putting out fires and so on. It’s hard to find the time and energy to chase after things that haven’t yet blown up or look like they have quiesced. But that doesn’t explain it all.
In the end, security is still not seen as operationally essential. It doesn’t drive new revenue, and it can certainly complicate projects and roll-outs and operations. No matter how well tested or vetted, patches can still disrupt business; and that is anathema to IT. Which means, in the end, that for the vast majority of companies that haven’t got mature patching processes, there will always be a large backlog.
And patches won’t get pushed without a compelling negative event that tells a CIO it’s worth the risk, aggravation, helpdesk tickets, customer satisfaction and employee efficiency impact. So what is the hope for most companies to reduce most of the backlog of critical vulnerabilities, let alone the long tail of other vulnerabilities? The answer is very low.
And in the afterglow of being a survivor from the last wave of Ransomware, it’s very easy to take a breath, remember it’s summer and return to business as usual.
This is a mistake. And it’s a missed opportunity. Now is the time for security people to change the company perception of patching. If not now, when? This is the time to affect change in process and perception of security. Remind your peers that we in security are company risk managers and not a dealers in IT-related esoterica. Change the dialog with management.
To paraphrase Winston Chrurchill: never let a crisis go to waste!