I published a rather lengthy blog post about the importance of patch management to the success of a security program. Due to the length of the post I thought I’d add a tl;dr version of the primary points from the article.
Bad security patching practices can and will undermine the budget spent on security tools
Security patching needs to be a priority coming from the top of the organization
CISO’s must ensure they partner with IT and business units and foster a “self-service” approach to vulnerability scanning and testing
CISO’s and CIO’s must closely partner on configuration and patch management tools and administration
CISO’s must present security patching data that focuses on practical risk to the company
CISO’s must present security patching data that specifies the performance of each IT and business unit
Leadership must hold IT and business leaders accountable for their group’s security patching performance
CISO’s should not offer a risk-acceptance or security exception path for software vulnerabilities
I’m going to cover something that arguably has the greatest impact on the security posture of an organization and is not something that information security is typically responsible for.
It’s something that can make or break a company’s entire security regime and negate every bit of security investment.
Poor security patch management.
A security patch is a piece of software designed to fix vulnerabilities or weaknesses in a system that could be exploited by malicious actors. By regularly applying security patches, organizations can protect their systems from being compromised and ensure that they remain secure and operational.
Traditionally, the information security team has processes for “vulnerability management” which is meant to discover, catalog, and track software vulnerabilities. Software vulnerabilities are weaknesses in code that can be exploited to gain unauthorized access or cause damage. While there are technical aspects to the vulnerability management process, the primary role is one of governance. The vulnerability management program is one of influence but does not directly fix vulnerabilities or patch systems. Therefore, the success of the program is primarily up to IT.
Knowing that the success of the vulnerability management program – and thus the entire information security program – is dependent on how well security patch management is executed, it is imperative that senior leadership prioritize security patching on par or above business imperatives. The “tone from the top” can either help achieve the desired security patching outcomes, or completely undermine them. For example, if a CISO reports to executive leadership that there are critical vulnerabilities that put the organization at risk and the response is short of “get it fixed ASAP,” then most likely nothing will be done – or will be done eventually, without urgency.
Even with executive buy-in, there needs to be a regular cadence of reporting that includes tracking not only raw numbers but also aging of vulnerabilities previously reported. Senior leadership then can set a “I don’t want to see this vulnerability again” tone for critical vulnerabilities.
The vulnerability report must be meaningful to the audience. Don’t waste their time with huge aggregate numbers. Instead, the reports should clearly articulate which vulnerabilities present risk to the organization and what patches would have the greatest impact in lowering risk. As the old saying goes, “if everything is critical, nothing is critical” so you need to choose what you communicate carefully.
However, these reports have a reputation for “naming and shaming” and only work for so long. Instead, the CISO needs to be partnering with the responsible leaders to help them succeed, and the quickest way to do that is to help them help you.
I am a huge fan of self-service, giving the IT operations team access to the vulnerability scanning system. It gives everyone the same set of facts to work from, security can partner when vulnerabilities are first detected and determine which patches should be prioritized. This not only speeds up the process of patching, it also buys quite a bit of political goodwill as the business unit leadership will be able to prioritize the patching effort. It also removes the CISO from the “gotcha” role they find themselves in when presenting reports to shocked leaders who will not have seen the information previously.
In addition, the CIO and CISO should partner on an effective system management product that can quickly and easily push out security patches. These tools are not cheap and require quite a bit of management to set up and maintain so it’s imperative that both IT and the security organization share both the costs and administrative burden of these tools.
Now for the other side of the partnership coin – accountability. The vulnerability reports must show aging critical vulnerabilities organized not only by platform type but also business unit. The only way to get traction in security patch management is to ensure there is complete leadership alignment and that if teams fall behind, there is accountability from the top which may include: timelines, follow-up, and visible consequences for continued non-compliance.
One last note, there is a temptation to treat vulnerability and patch reporting as simply an administrative security control and not a fundamental component of IT technical operations’ health. Unfortunately, this mentality may lead to critical vulnerabilities being handled with management exceptions or risk acceptance. As I’ve said to colleagues countless times, “attackers don’t check our risk register before launching their exploits.” Once again, tone from the top is imperative and leadership needs to understand that security patching is critical to the success of the health and safety of the IT ecosystem and cannot be documented away like other security risks.
When I hear a CISO speaking about threats on an information security podcasts I know most everyone probably thinks they are talking about nation-state or criminal actors.
The truth is that they are more likely talking about things like retaining talent, holding onto budget, getting IT to get their shit together, over-zealous auditors, dealing with seemingly constant vendor failures, and trying to keep insurance underwriters in line.
I’m humbled to be brought back as a panel speaker at the CISO Boot Camp. I was involved in designing and ended up MC’ing the first two CISO Boot Camps (2019 and 2020).
Unfortunately, COVID took the wind from the sails from 2021 and 2022 but now, in partnership with the SANS institute the CISO Boot Camp is coming back, and will be better than ever!
About the Program
RSAC CISO Boot Camp is an invitation-only gathering of future CISOs from a broad set of organizations around the globe. This closed-door, Chatham House Rules program will deliver a unique and curated experience designed to prepare aspiring CISOs for the next step in their careers.
Launched in 2019, CISO Boot Camp is in its next iteration and is now co-designed by RSAC and SANS Institute, two leading organizations in the cybersecurity ecosystem. Delivered by experienced CISOs and industry experts, attendees can expect quality presentations, inspiring conversations, and immersive hands-on learning with live simulations to help instill the skills needed to be successful–not to mention, plenty of networking with new peers on the same career trajectory, and experts with possible mentoring opportunities.
This is a free program and attendees will receive Expo Pass access to RSAC 2023 as part of their RSAC CISO Boot Camp badge, with the opportunity to upgrade to an Expo Plus Pass or Full Conference Pass. Program size is limited to 100 participants. Attendance is limited to one year, with alumni networking opportunities to follow.
Like everyone else with a browser, free time, and an interest in AI I’ve been playing with ChatGPT, an text-generating AI engine by OpenAI, the folks that created DALL-E, that can write research papers, programs, poems, and blog posts. You can find more information about both ChatGPT and DALL-E at OpenAI’s website (https://openai.com/).
I started with something that I thought would be fun:
As you can see, it wrote well-commented python script to generate a random number for each of the types of dice used when playing Dungeons and Dragons (something I do with my kids and friends). I doubt I’ll use this specific script as I have some pretty fly VTT apps and like to use the real thing when I can. I kept playing with ChatGPT. It wrote me a haiku, a poem in the style of Keats, a few jokes, a Mastodon post, and finally, a blog post.
I wanted to see if it could do something in a longer form so I fed it some prompts and after a few tries I got one back that was passable. The following post was written entirely by the ChatGPT interface with the following prompt:
And so, without further delay, I hand over the reigns of my blog to ChatGPT.
Here is a potential blog post about the intersection of cybersecurity, nation-state threats, and flaming hot Cheetos:
Title: “The Spicy Politics of Cybersecurity”
As the world becomes increasingly connected, the realm of cybersecurity has become a critical battlefield for nation-states. Hackers and cyber espionage groups backed by governments are constantly probing and attacking each other’s networks, trying to steal sensitive information or disrupt critical infrastructure.
In this high-stakes game of cat and mouse, the use of sophisticated tools and techniques is common. But sometimes, even the most unexpected things can play a role.
Take, for example, the case of the flaming hot Cheetos. In 2017, it was reported that Russian hackers used the popular snack as a covert communication channel to avoid detection by security software. By embedding data in the pixels of images of flaming hot Cheetos posted on social media, the hackers were able to transmit information without raising suspicion.
This may seem like a silly and unlikely tactic, but it highlights the creative and unpredictable nature of cyber warfare. As security technologies and defenses continue to evolve, so do the methods used by hackers to evade them.
Not the worst blog post I’ve ever read (and may have been guilty of writing). I think this is going to be a very disruptive technology for certain vocations in the not-so-distant future. Honestly, I’m not sure how that makes me feel.
I’ve seen it time and time again. An executive wants a to fund a transformational project of specious value but requires multiple years of expensive funding. The executive will work hard on branding an internal projects with acronyms, mythological names, and even custom logos. Aspects such as goals, objectives, features, and (most importantly) risks are either glossed over, not documented, or delegated to employees that may not have the full scope of the initiative well understood.
And when it finally comes forward? It gets eviscerated for poor planning, inaccurate estimates, and the project name is sometimes even mocked.
Worse yet, the project gets funded and falls into a swirling morass of mis-aligned goals, missing user-stories, incomplete features, slow progress, and budget overruns. I’d rather get laughed out of the room and told no, personally.
So what’s an ambitious executive to do?
Create a multi-year strategy that builds toward your ultimate goal system that takes the concept of “eating the elephant” into mind. As you probably know, the idiomatic phrase comes from the question “How do you eat an elephant?” with the answer being “One bite at a time.” Instead of trying to take it all on at once, break your project down into small chunks, organize them using the following as guides:
order of operations – does y have to go before x to work? then y should be done first
low hanging fruit – are there “quick wins” that can be completed to provide value immediately?
slow growth vs. all-in – can you target a smaller population to show value, build processes/documentation, and potentially drive demand for non-included groups?
strategic alignment – are there aspects that directly align to a corporate strategy?
Of course, all roads lead to Rome (many ways to accomplish the same thing) and there are other strategies to employ to get to the final goal. I have found the above works for me but it may not work for you. Also, this method may take longer, it may actually be more expensive, but it will get done which is what the goal is supposed to be, right? Then you can let everyone know that “Medusa 2.0” can be launched with great fanfare.
I submitted a short blurb to an effort to gather advice from CISO’s. I believe many CISO’s (especially new ones) will focus primarily on advanced security controls and miss the admittedly boring “blocking and tackling” like patch and configuration management…
While we (as CISO’s) certainly need to deploy protective technology to help defend our brands, we must also ensure we stay laser-focused on helping our friends in IT with the monumental task of properly configuring and expediently patching endpoints, servers, and applications. No matter how good your EDR or XDR systems may be you will be helpless to stop attackers if systems are not properly configured and maintained.
The submission asked for additional information so I decided to expand (very slightly) on my earlier point – but the fact that governance alone has not and most likely will never work.
The information security product ecosystem has certainly produced some excellent detective and preventative controls to thwart would-be attackers. However, time and time again systems and applications are compromised due to shoddy administrative practices and slow update cycles. We (as CISO’s) need to that our IT sisters and brothers are empowered to invest in solutions to solve these issues – sheer governance has not been enough so we have to think outside the box on how to enable IT to be successful for the company and achieve better security outcomes.