Q&A: Security Best Practices Include Automated Remediation
Automated vulnerability remediation exists, but most companies still take a manual approach
Today organizations can remediate vulnerabilities automatically, but should they?
In fact, most organizations are taking a hybrid approach, automatically scanning networks for known vulnerabilities, then routing the information through security managers or risk-assessment committees to decide which vulnerabilities security administrators tackle first.
To discuss best practices for security vulnerability remediation, Security Strategies spoke with Dave Ostrowski, product marketing manager for Internet Security Systems Inc. (ISS) in Atlanta, and Scott Johnson, the company’s product manager. ISS makes appliances to block known attacks. Dubbed “virtual patching,” this approach buys companies remediation time.
Do companies today tend to manually or automatically remediate vulnerabilities?
Ostrowski: Most organizations sort of deal with it as a manual process. There are certainly automated remediation companies offering automated solutions … but they all, to some degree, require a manual handshake process to oversee that automatic remediation. … And just because of the intricacies of the industry, such as patches from Microsoft, what we’ve seen is [security managers] like to apply things very carefully.
Johnson: Not every customer wants to apply automatic updates, because frankly they’re scared. If you just automatically apply something and it goes wrong, you’ve just applied that to your whole network. But what customers are doing is … setting up the assessment process in an automated fashion.
Manual processes take time. Are there any time savers?
Ostrowski: One of the things we’re finding companies do—they’re so overwhelmed by the challenge—is they’re trying to push out the actual remediation process as far as possible, recognizing that the asset owner doesn’t necessarily reside in the security, systems, or network administration teams. … What they’re trying to do is get the correct remediation information out to the asset owners in their companies.
For example, we have a large financial customer in New York whom we’ve dealt with for a number of years. … The security team will push out the patches to asset owners into the organization. I believe that over 150 individuals are used in that process, [and they] are responsible for actually implementing the patch or taking the steps involved. Then the security team verifies the patch is deployed, and they do this on a regular basis.
How do companies first vet which patches to apply first?
Johnson: That’s typically handled by the security team, where they’re actually responsible for the prioritization process. …
Or, for example, one large bank we deal with actually has a small committee that meets every month or quarter, and what they do is they have a list of vulnerabilities that procedurally they need to deal with. So they … identify those threats or vulnerabilities they deem critical for their business. … And they’re measured accordingly, based on how well they deal with those issues over time.
What about employing virtual patches?
Ostrowski: Well, we have a Preventia server that actually thwarts attacks … and it lets you roll out your patches on a more pragmatic, monthly basis. So it buys you a window of opportunity where you have protection from the most pressing vulnerabilities, then you can afford to roll out the actual patches on a more structured basis. We think more organizations will embrace that approach.
Why will organizations go the virtual patch management route?
It comes down to a matter of dollars. If you’re pushing out every patch, every Super Tuesday from Microsoft, you’re going to need an army of people. But if you do the more-practical approach, putting appropriate defenses in place … then keeping that software up to date, that’s a controlled environment. … And they’ll be able to do … patches on a more scheduled basis.
A good example of that is the Microsoft RPC vulnerability. There was the Blaster worm from more than a year ago, but the [atttack] has happened with subsequent worms. In that case, the vulnerability was announced well in advance of the worm appearing, and our customers applied the XPU (express update service) that protected against the attack … Then when the worm appeared, they were protected.
So virtual patching buys organizations time?
The majority of people who own assets are going to be IT, and they might have one hour per month to do service on a critical service, a Web server or something like that. So they say, 'We’re going to take down the server on the last day of every month.' Or worst case, there’s one hour per year allocated. So again, that’s the challenge, and it’s another area where the shielding technology helps.
Best Practices: Patch Management
Solving the Patch Management Headache
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.