Think You Have It Covered With WSUS? Think Again…
Paul Henry - September 8th, 2010
As noted in our July blog post “Adjust Your Defense to the Changing Threat Vector,” third party applications now pose the greatest risk to network security. Simply turning on WSUS and patching the underlying OS and Microsoft applications leaves you woefully exposed. The bad guys know they can improve the success of an attack by going after vulnerabilities in applications you are failing to patch. Today, they are directing their attacks against third party applications, NOT the traditional Microsoft applications.
The new threat vector is taking advantage of what many consider to be an enterprise blind spot and, as a result we are perhaps more at risk today than we were just a year ago. Unfortunately many security professionals seem to have completely missed this change. This point was driven home in the recent InformationWeek Survey that noted the majority of people are only somewhat concerned as opposed to very concerned about a zero-day exploit (Figure 1); 54% of respondents said their level of vulnerability is the same as it was a year ago (Figure 2) and 64% of respondents said they do not believe they will experience a security breach within the next year (Figure 3).
The change in the threat vector puts most organizations at greater risk and requires we take a much more comprehensive approach to securing our networks. Over time, the application of so many different point products – each plugging one of the latest leaks in network security – have caused security management to become overly complex. In turn, this has allowed problems such as third party applications to slip through the cracks.
The current head-in-the-sand approach to our current threat landscape apparent in the InformationWeek survey is nothing short of a recipe for disaster.
4 immediate steps to help mitigate risk
1. Rethink your currently accepted security practices such as the old Black List or Negative Security Model because they are obsolete and change is long overdue. The only approach that makes sense in an environment where signature based defenses have become overwhelmed is to adopt a model that only allows applications explicitly permitted by policy and that are trusted to operate within the enterprise.
2. Broaden your flaw remediation efforts to include all applications operating within the environment. As noted previously, turning on WSUS and calling it a day is no longer sufficient. The leading applications attacked for more than the past year were not Microsoft applications updatable with WSUS, rather they were third party applications like Adobe Reader, Flash, and QuickTime.
3. Thoughtful consolidation of security products on your endpoint is a necessity. Security product sprawl is prevalent in most organizations with the numerous security agents running on your endpoints, each with separate and distinct security tasks. The wasted overhead has caused some organizations to simply turn off some security mechanisms due to the poor performance they inflict.
4. Look at the bigger picture and architect your defenses so they include both good security and operational considerations. By design, we need to have the ability to proactively alert on the security impact of operational actions (such as new vulnerabilities introduced by newly deployed software) and the operational impact of security actions (such as the impact security configuration changes may create.)
One solution worthy of consideration in mitigating the new risks imposed by the rapidly changing threat vector for both end point / enterprise security is L.E.M.S.S. from Lumension. It meets these challenges head on by reducing complexity, enhancing security & compliance, and expanding visibility across operations and security functions. Additional information on Lumension L.E.M.S.S. can be found here.