At the 2016 DEF CON 24 show, the DARPA Cyber Grand Challenge saw seven automated security systems teams competing...
for the $2 million grand prize in a capture the flag-type challenge. The goal was to develop systems that can detect vulnerabilities, patch themselves and ward off intrusions in an autonomous fashion. This is fascinating technology that, given the complexities associated with today's network environments, could help improve enterprise security in many ways. But is it going to be worth it? What are the unintended side effects and risks associated with automated patching? While this technology does not yet exist on a widespread level, this is something that enterprises need to be thinking about as their information security programs and associated technologies advance. In my work performing independent security assessments, I have seen many organizations that could use some type of automated patching technology. The software flaws would be acknowledged, the patches would be deployed and the systems would remain resilient to future attacks -- all with minimal human effort. This all sounds good on paper and would certainly please many auditors and executives. The problem is, the system patching process is not that cut and dried. It's actually a fairly complicated process that involves many systems, people and processes working in concert to ensure that updates are properly deployed, security is improved and the environment remains stable. The latter item -- stability -- is no doubt the most important aspect to the majority of the security professionals involved. As we have all learned and experienced, one bad patch is all it takes to take down an otherwise stable system. This approach ends up creating a situation that many would argue is worse for the business than any security weakness that the patch was attempting to resolve. Overworked security staff are no doubt looking for ways to improve their network security posture, such as with an automated patching system, but there are certain things that must be considered such as:
- How do you, or the system, determine what gets patched first?
- How do you ensure that mission-critical systems do not get patched if you can't afford the risks, yet remain secure?
- How do you involve third-party vendors, who tend to not support software patching, thus placing all the risk on your business?
- What fallback plans do you have for when something breaks due to a software update?
Advancements in the software quality of modern operating systems and applications means that patches can be deployed in a semiautomated fashion -- at least at the workstation level. After all, that's where much of the focus needs to be, especially with third-party software from vendors such as Java and Adobe. But what about the servers, applications and databases and network infrastructure systems that can remain vulnerable to attack? How are software and firmware updates applied to these systems?
Is the price of an automated patching system worth it? Perhaps the benefits of automated patching do outweigh the drawbacks. It's important to note that the DARPA Cyber Grand Challenge used a specialized testbed of computers with custom software that had never been analyzed before. Participating teams in the DARPA challenge, which was the first automated patching competition of its kind, took nearly 10 hours to hunt for and patch vulnerabilities that may have normally taken weeks or even longer. But it's unclear how these automated patching systems will function with commercial software products and complex legacy applications.
Every situation is different. The reality is that, given the limited resources of the enterprise IT security team and the risk of human error, security needs to be automated where it can. Now is the time to start considering how the patching process could or should be automated in the future. If you can automate this information security function, you could likely translate many of those processes and lessons into other areas which could be extremely beneficial for future security initiatives.
Read these seven tips for evaluating and purchasing automated patch management products
Find out the best way for CISOs to share security patching responsibilities with IT administrators
Discover how to develop a patch management strategy for your organization