Simplifying and Securing Enterprise Infrastructure

Michel Saad, Ejada

Soeren Bech, Accelerite

Fazahath Baig, Accelerite Webinar series overview

ENTERPRISE PATCHING: ENTERPRISE PATCHING: ENTERPRISE PATCHING: CHALLENGES BEST PRACTICES ROAD AHEAD

Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct problems in software, including security vulnerabilities. Patch management is commonly required by security frameworks or standards, such as CIS Critical Security Controls for Effective Cyber Defense, ISO 27001 Annex A, PCI DSS, or NIST Cyber Security Framework..

1. Have we assigned clear roles & responsibilities? 2. Do we know our IT assets? 3. What are the capabilities of our patch management technology? 4. What are the inputs to our security monitoring process? 5. Do we measure effectiveness and efficiency?

Windows 10

October 2003 – Patch Tuesday Windows 8.1

Windows 8

Windows XP Windows 7 (most widely adopted client OS) Released wsusscn2.cab Current size - file size - ~750MB ~219MB

\ The global average cost of a data breach is $3.9 million across Small and Medium businesses. - Equifax breach – $4 Billion. - Ransomware attack – $133,000. - WannaCry attack National Health Service – $100 million. \ Cost of information loss is estimated at $5.9 million. \ With 72% rise in last 5 years. Source

Most recent Attacks: Garmin paid millions in ransom to hackers – August 2020 https://www.forbes.com/sites/quickerbettertech/2020/08/0 9/garmin- surrenders-pays-millions-in-ransomand-other-small-business-tech- news/

Canon suffers a Ransomware attack – August 2020 https://www.forbes.com/sites/daveywinder/2020/08/05/has-canon- suffered-a-ransomware-attack-10tb-of-data-alleged-stolen-report/

\ CVE, short for Common Vulnerabilities and Exposures, list of publicly disclosed computer security flaws. CVE ID number, CVE name: For Eg: CVE-YYYY-NNNNNN

\ “WannaCry” also known as ‘Windows SMB Remote Code Execution Vulnerability’- CVE-2017-0144.

\ Once such CVE is announced or identified, until the patch is applied, an Enterprise is at increasing risk.

Microsoft’s Adobe’s SAP Security Update Guide portal – More than Security updates here – About 20 Security Security updates here – About 10 CVE 80 CVE fixed in July updates fixed in July (3 Critical and 6 Medium) VMWare Oracle’s DB Chrome 84 Security updates here – 10 Critical and Updates here – 18 CVE’s just for Oracle Security updates here – 1 Critical, 6 High 5 Important DB, with 5 High impact patches released CVE fixed

Breaches in most cases happen after a patch is available

After Covid 19, 75% of companies report that between 76 and 100% of the workforce works from home That was 3% before Covid 19. According to 2020 remote work security report by CyberSecurity Insiders

Survey suggests specific threat vectors that companies are worried remote employees are exposed to while working from home 72% Malware

44% 67% Unpatched Phishing Systems

Avoidable exploits 57% Unauthorized User/Access

\ Windows 10 cumulative patch and features updates size considerations.

\ File size of the ever increasing wsusscn2.cab file for offline scanning – Currently at ~750MB.

\ Different applications to patch for compliance. For eg. Chrome, Adobe, Oracle.

\ Different tools to be managed for patching and updates.

\ Sources and subscription types to navigate for patch content acquisition.

\ Training personnel for each of the tool, application, software and patch type.

\ Testing and rollout window.

\ Visibility of different hardware device types and access issues. For eg. ThinClients, POS, Laptops, Mobile

\ Scalability across the organization of patch servers.

\ Network access to endpoint devices. (+ Covid remote working)

\ Geographically dispersed infrastructure. (+ Covid remote working)

\ Report collection for compliance reports and management reporting.

How do we give users flexibility How do we manage high growth How do we manage accurate while still securing corporate of devices without distribution reporting with increasingly remote information remotely? and management costs? workforce?

How can I provide great service How do we manage and patch How do we manage different to my users with my current different device types and government regulations and headcount? operating systems? industry standards?