This blog post is an excerpt from our report created in partnership with Oracle, Improving Federal Security With Automated Patching. To download the full report, head here.
If one thing is constant in the IT world, it’s change. Technology and procedures are often changing for the better in government, which improves processes and services that citizens can then use to improve their lives.
“Agencies are advancing their thinking in terms of what they need to protect,” Federal CIO Suzette Kent said at an industry event earlier this year, adding that agencies nevertheless need to continue looking at what they measure and automate some of those activities. “But we have to aggressively keep the mindset that we are never done,” she said. “It’s just a step in the journey.”
But this change also means that fresh attack vectors and cybersecurity threats are constantly developing. We’ve seen that firsthand with discoveries of new hardware vulnerabilities (like Spectre and Meltdown) or execution vulnerabilities (like Foreshadow and L1 Terminal Fault).
Unfortunately, federal IT professionals often have limited resources, which makes proactively combating changing security vulnerabilities challenging, and leaves agencies’ data and applications exposed. Additionally, many agencies lack a basic ability to determine what software runs on their systems. This means that federal agencies are often operating in the dark when it comes to their attack vectors and potential remediation.
Deploying security patches is a critical remedy for many of these issues. Unfortunately, it can be an extremely manual and time-consuming process. Because of this, many agencies and departments fail to patch in a timely manner.
The patch that could have solved a security issue often exists – but may just never have been applied because of the complexity of doing so.
Proper patching can be complicated. According to the National Institute of Standards and Technology (NIST), “Timing, prioritization, and testing are intertwined issues for enterprise patch management. Ideally, an organization would deploy every new patch immediately to minimize the time that systems are vulnerable to the associated software flaws.”
But the reality is that prioritization and limited resources affect when and which patches are applied. More importantly, bringing systems down to apply OS patches is very disruptive to the agency’s operations, and administrators see it as a risk. Not applying patches right away, however, actually increases the security vulnerability of the infrastructure.
It is likely that manual patching and security processes will never be able to catch up with the changing field of cyberattacks today. “We must immediately address the insecurities embedded in commercial software … Ensuring that patches are implemented in a timely and secure manner is an entirely different matter,” Virginia Sen. Mark Warner said in a statement after the WannaCry attacks.
The best way for federal agencies to overcome these issues and meet security and compliance demands is by moving to an operationalized and automated process for patching that does not disrupt their operations.