March 26, 2019
Patch Management: The First Line of Defense Against Cyberthreats
Cybersecurity has been a topic of discussion among IT professionals for quite some time, but an MSP’s responsibility to maintain secure environments has increased rather dramatically over the past decade as threats have become more commonplace.
According to the Anti-Phishing Work Group's Q2-2018 report, the total number of phish from the second half of 2017 to the first half of 2018 increased by 33%. Today’s cybercriminals are continuing to leverage social engineering emails as the top attack vector. In addition to the rise in phishing, ProofPoint’s “The Human Factor 2018” report states emails with malicious attachments exceeded those with emails containing malicious URLs by 28%, putting the hostile code within a single click from the user. However, even an email redirecting an unsuspecting user to a fake website will eventually lead to downloading and executing a file that will exploit a vulnerability.
Security professionals all agree that a comprehensive security strategy is multi-faceted, incorporating perimeter hardening, end-user education, software patch management, and disaster recovery planning. It is also becoming more complex to proactively prevent attacks from occurring. Threats, like strains of ransomware, adapt as prevention measures mature and new technologies emerge making it difficult for businesses, especially smaller ones with limited resources, to remain ahead of the criminals. However, the problem needs to be addressed head-on. As Gartner states, “Cybersecurity risk, if not treated appropriately, translates into business risk, reputation loss, regulatory breaches and general disruption of operations.” The cost of disruption is too significant, and often orders of magnitude higher than prevention when responding to an event after it has occurred.
Technology vendors are doing their part to ensure vulnerabilities are fixed as quickly as possible, usually releasing an update within hours of learning about it. A well-documented case study on this is the WannaCry outbreak of 2017. Microsoft learned of the vulnerability within the Windows Operating System on March 14, 2017, and released security bulletin MS17-010 that same day marked as CRITICAL. The global outbreak transpired two months later, compromising 230,000 computers in 150 countries in 24 hours. The malicious code that exploited the vulnerability fixed by Microsoft was in the wild for almost a month before the attack occurred. When the dust settled, there were at least 300,000 devices that had not received the critically flagged update from Microsoft.
High-profile attacks, like WannaCry, raise awareness among businesses and MSPs are often the ones looked to for providing the strategic guidance and tactical measures to secure the IT environments for their clients. To adequately do this, MSPs need to approach their customer security engagements thoughtfully. Failure to do so may establish a false sense of security and potentially expose end-clients to costly disruptions.
Getting Started with Patch Management Services
An MSP has the opportunity to build out a line of services that can be bundled or delivered a la carte. The types of services might include:
- Vulnerability Assessments & Management
- Patch Assessments & Management
- Secure Configuration Assessments
- Application Security Testing
- Compliance Assessments & Management
According to Gartner, the goal of proper Patch Management Services is, “to mitigate the risks of security breaches or performance issues by standardizing the patch management processes across the entire organization.” The service may start by defining a baseline of compliance across the managed environment. From there, determine the minimum versions of required business applications that need to be in place and then identify the gaps and path to remediation. Spend adequate time to understand the risks, possibly with other business applications and what the contingency plan is if a patch is unable to be deployed or results in a disruption for some reason. In many cases, you - the MSP - will want to test your patches in a sandboxed environment, lab, or against a small population of risk-tolerant devices. Before deployment, you will want to confirm your targets have verified backups, especially if they are devices vital to operations such as servers. Be sure everyone involved understands the primary and contingency plans and is ready to respond if the deployment fails. Following the successful deployment, re-evaluate the environment and confirm compliance. Identify non-compliant anomalies and build a follow-up plan to remediate. The last stage is to report the results to stakeholders. Building a service around Patch Management requires a combination of program process documentation and technology toolsets to deliver effectively. MSPs should position it to their customers as an on-going and comprehensive discipline, not a short-term project. All stakeholders should understand the frequency of updates, the targeted devices subject to receiving updates, and how to define and measure compliance.
Leveraging the power of a fully automated, policy-based platform, like Datto RMM, will position the MSP to systematically deploy patches for typical business applications as soon as they become available helping to close the window of exposure for known and zero-day vulnerabilities. Datto RMM will also generate easy-to-understand reports, bringing clear visibility to the sites and devices with the highest risk. Being able to have a conversation, backed by data, further establishes the MSP as a strategic partner who is proactively looking to prevent downtime and maintain the end-clients’ best interests. Check out our eBook RMM Made MSPeasy!