Tag Archives: cybersecurity

WannaCry & The Reality Of Patching

Mark Nunnikhoven, VP Cloud Research, Trend Micro

The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today. Starting with a basic phish, this variant uses a recent vulnerability (CVE-2017-0144/MS17-010) to spread unchecked through weaker internal networks, wreaking havoc in large organizations.

The gut reaction from those on the sidelines was–understandably–”Why haven’t they patched their systems?” Like most issues in the digital world, it’s just not that simple. While it’s easy to blame the victims, this ransomware campaign really highlights the fundamental challenges facing defenders.

It’s not the latest zero-day—a patch for MS17-010 was available 59 days before the attack—or persistent attacker. One of the biggest challenges facing the security community today is effectively communicating cybersecurity within the larger context of the business.

Patch…Now

A common refrain in the security community is that patching is your first line of defence. Despite this, it’s not uncommon for it to take 100 days or more for organizations to deploy a patch. Why?

It’s complicated. But the reason can be boiled down roughly to the fact that IT is critical to the business. Interruptions are frustrating and costly.

From the user’s perspective, there is a growing frustration with the dreaded “Configuring updates. 25% complete. Do not turn off your computer” screen. The constant barrage of updates is tiring and gets in the way of work. Making matters worse is the unpredictable nature of application behaviour post-patch.

About 10 years ago, “best practices” formed around extensive testing of patches before deploying them. At this time, the primary motivator was patch quality. It wasn’t uncommon for a patch to crash a system. Today, patches occasionally cause these types of issues but they’re the exception not the rule.

The biggest challenge now is custom and third party applications that don’t follow recommended coding practices. These applications might rely on undocumented features, unique behaviours, or shortcuts that aren’t officially supported. Patches can change the landscape rendering critical business applications unusable until they too can be patched.

This cycle is why most businesses stick to traditional practices of testing patches, which significantly delays their deployment. Investing in automated testing to reduce deployment time is expensive and a difficult cost to justify given the long list of areas that need attention within the IT infrastructure.

This unrelenting river of patches makes it difficult for organizations to truly evaluate the risks and challenges of deploying critical security patches.

Legacy Weight

The argument around patching assumes—of course—that a patch is actually available to resolve the issue. This is the zero-day. While the threat of zero-days is real, long patch cycles mean the 30-day, 180-day, and the forever-day are far more likely to be used in an attack. The Verizon Data Breach Investigations Report consistently highlights how many organizations are breached using exploits of patchable vulnerabilities.

The WannaCry campaign used a vulnerability that was publicly known for 59 days. Unfortunately, we’ll continue to see this vulnerability exploited for weeks—if not months—to come.

Making matters worse, MS17-010 was only patched on supported platforms. A position that Microsoft has since reversed and issued a patch for all affected platforms (kudos to them for making that call). While it’s logical only to provide patches for supported platforms, the reality is the “supported” number is far different than the “deployed” number.

We know that Windows XP, Windows Server 2003, and Windows 8 continue to live on – by some reports accounting for 11.6% of Windows desktops and 17.9% of Windows servers. That’s a lot of vulnerable systems that need to be protected.

There are third party security solutions (some from Trend Micro) that can help address the issue, these legacy systems are a weight on forward progress. As a system ages, it’s harder to maintain and poses a greater risk to the organization.

Malware, like the 12-May-2017 WannaCry variant, takes advantage of this fact  to maximize the success and their attack…and their potential profits.

Security teams need to help the rest of the IT teams explain the need to invest in updating legacy infrastructure. It’s a hard argument to make successfully. After all, the business processes have adapted to these systems and from a workflow process, they are reliable.

The challenge is quantifying the risk they pose (maintenance and security-wise) or at least putting this risk in the proper perspective in order to make an informed business decision.

Critical…For Real

All too frequently, vulnerabilities are flagged as critical. 637 and counting so far in 2017, which is a faster pace than the 1,057 reported in 2016 (and these numbers are only for remotely exploitable vulnerabilities!). Your organization is not going to be impacted by all of these, but it’s fair to say that you’ll face a decision about a critical vulnerability once a month.

To make the decision to disrupt the business, you’re going to have to evaluate that impact. This is where organizations tend to falter. It’s extremely difficult to boil the decision down to numbers.

In theory, you should take the cost of downtime (when deploying the patch) and compare it to the cost of a breach. Ponemon and IBM have the cost of a data breach in 2016 at an average of $4 million USD (4% of worldwide turnover for EU companies). This means that you should always patch unless the downtime cost is more than$4 million.

Except that it doesn’t factor in the probability of that breach happening or the cost of using security control to mitigate the issue. This is where it gets really complicated and highly individualized.

The debate on how to properly evaluate this decision rages on in the IT community, but specific to WannaCry, the equation was actually pretty straight forward.

Microsoft issued MS17-010 in March, 2017 and flagged it as critical. A month later, there was a very high profile and very public data dump that contained an easy to understand and execute exploit for the vulnerabilities patched by MS17-010. At this point, the security team can guarantee that their organization will see attacks taking advantage of this vulnerability.

That puts the probability of attack at 100 percent. So unless it’s going to cost $4 million to patch your systems, the patch should be rolled out immediately.

Mitigation

Un-patchable systems still need to be protected. With WannaCry, all affected systems are patchable now—again, thanks to a generous move by Microsoft. With other malware threats, that’s typically not the case.

This is where mitigations come into play. These mitigations also buy time for patches to be deployed.

WannaCry is a solid example of a new variant that caused significant damage before traditional anti-malware scanning could be implemented. This is where machine learning models and behavioural analysis running on the endpoint is critical.

These techniques provide continuous and immediate protection for new threats. In the case of WannaCry, systems with this type of endpoint protection were not impacted. After deeper analysis by the security community, traditional controls were able to detect and prevent the latest variant of WannaCry from taking root.

When in place, strong network controls (like intrusion prevention) were able to block WannaCry from spreading indiscriminately throughout corporate networks. This is another argument for microsegmentation within the network.

Finally, phishing emails continue to be the most effective method of malware distribution. 79 percent of all ransomware attacks in 2016 started via phishing. Aggressively scanning emails for threats and implementing strong web gateways are a must.

Protecting Against The Next Threat

WannaCry is a fast moving threat that’s had a significant real-world impact. In the process, it’s exposed fundamental challenges of real-world cybersecurity.

Patching is a critical issue and it needs the entire IT organization working with the rest of the business to be effective. Year after year, the majority of attacks take advantage of patchable vulnerabilities. This means that most cyberattacks are currently preventable.

Rapid patching combined with reasonable security controls for mitigating new and existing threats are the one-two punch your organization needs to reduce its risk of operating in the digital world.

While the problem and solutions are technical in nature, getting the work done starts with communications. There’s no better time to start than now.

Head and Shoulders Above the Rest in Endpoint Security as a Gartner Magic Quadrant Leader

by Bharat Mistry

We’re only in the second month of the year and already the threats are coming thick and fast. Just in the past week we’ve heard of a major breach at two popular gaming forums and a ransomware attack which crippled the police CCTV camera network in the US capital. This tells us that the endpoint, frequently the first target in such attacks, must be better protected as we head through 2017. But it can be hard to cut through the marketing hype in such a crowded marketplace.

That’s why Trend Micro is delighted to have been placed highest and furthest in the Leaders quadrant in Gartner’s 2017 Magic Quadrant for Endpoint Protection Platforms (EPP). Continue reading

It’s Time to Up Cyber Maturity Levels in 2017 – Starting with the Endpoint

by Bharat Mistry

As we close out another eventful year one thing is patently obvious: cyber threats have never represented a bigger risk to firms. Data and security breaches recently revealed at the likes of PayAsUGym, Ryanair, Lynda.com, KFC and more have all provide a timely festive reminder to CISOs of the value of multi-layered threat defence. More concerning still are new stats suggesting UK firms continue to operate with lower levels of security maturity than their US counterparts.

A good way to start the new year would surely be to consider how your organization can be smarter about security in 2017. And that means taking a look first at the endpoint.

Another year of breaches
Even before the catastrophic breaches at Yahoo, which may have affected over 1.5 billion accounts, were revealed, this was already shaping up to be another epic year for the black hats. Perhaps most worrying from the stream of breach incidents we’ve all read about in the news over the past 12 months is the fact that organisations are still making the same old mistakes.

Newly released data from UK-based insurer CFC Underwriting makes for particularly uncomfortable reading. It reveals that firm handled more than 400 claims on cyber breach policies this year – with the main categories being privacy breaches (31%), financial loss (22%) and ransomware (16%). Now, we don’t have mandatory breach reporting laws in the UK – not until the European GDPR comes into force in 2018, at least. So this is an interesting reminder that, while we might not always hear about them, security incidents are happening – and affecting UK firms every day.

More concerning still is that UK firms apparently represent 8% of the insurer’s policy count, but 17% of its claims count. Why does the UK have a disproportionately high volume of claims? CFC reckons because of the low cybersecurity maturity of these organisations.

Start with the endpoint
A comprehensive approach to cybersecurity of course requires multiple layers of protection including web and email gateways, networks and servers – not forgetting the vital “people” and “policy” elements. But many of the attacks which have led to damaging breaches over the past year started at the endpoint – the initial incursion point into the corporate network. We therefore need to start our efforts by better protecting this layer of infrastructure – but it’s not easy given the explosion in endpoints facilitated by cloud, mobile and IoT technologies.

Trend Micro’s answer is XGen: a cross-generational approach reliant on multiple layers of protection. None of these are a silver bullet on their own. But together they can form a formidable defence against the vast majority of known and unknown threats.

It should feature signature and non-signature based tools, including behavioural based filters, app control, exploit prevention and machine learning. The latter has been used for years by Trend Micro. But in this context we’ve made it even more effective at stopping threats by designing capabilities which extract and analyse a suspect file’s characteristics before and during its execution. This helps to reduce false positives and improve accuracy.

Endpoint compromise can play a vital role early on in the cyber kill chain. As we head into 2017, don’t underestimate the importance of gaining visibility and control at this layer. With huge regulatory pressure coming from Europe in 2018, no CISO can afford to ignore it.

 

 

Take Control at CLOUDSEC London this September

by Bharat Mistry

At a fundamental level information security is all about taking back control. It’s about reintroducing order into a chaotic and disordered world. But given the era-defining political upheaval the UK is witnessing at the moment, your average CISO could be forgiven for thinking that their job has just become even harder. Well, good security is also about resilience, and having the tenacity and will to stand firm – sometimes against the odds. But you can’t do this alone. Continue reading