On Friday, a group of unknown threat actors carried out one of the largest cyberattacks of its kind, which infected hundreds of thousands of computers in 150 countries. The ransomware, known as WannaCry, exploits a Microsoft Windows OS vulnerability that was patched in Microsoft’s Security Bulletin two months ago. The universal advice was straightforward: Update your Windows systems to include the latest patches to prevent attacks.

The idea of employing basic endpoint hygiene to keep your data safer seems simple, so why has WannaCry been so damaging? The answer may lie in the hidden complexities found in effective patch management.

The Patch Management Conundrum

The nuances of effective patch management run much deeper than simply having a system administrator push out patches or relying on inconsistent vendor-supplied mechanisms. Because of organizational silos, it takes most IT departments weeks or even months to deploy patches throughout their highly distributed environments. In fact, it can take organizations several months to even come close to achieving complete patch compliance.

The patch management conundrum raises questions that many organizations may find difficult, if not impossible, to answer. For example:

  • How should an organization deploy critical out-of-band patches, such as MS 17-010, that arrive urgently and off the routine patch schedule?
  • How can system administrators keep track of patches in an environment with thousands or hundreds of thousands of highly distributed endpoints running a variety of operating systems (OSs) and applications?
  • How long will the patching process take from start to finish, and how will system admins confirm that every endpoint in their infrastructure remains properly patched?
  • How can patches be deployed without interfering with the end-user experience and productivity?

The inability to address these fundamental questions is a key reason why attacks such as WannaCry are successful, even when there is a patch available. Most endpoint tools are challenged to address these kinds of attacks in three very important ways:

  1. Insufficient visibility. Incomplete visibility provides poor context to discover and report on the current state of all endpoints (including unmanaged ones), especially in highly distributed environments.
  2. Sporadic endpoint hygiene. Manual processes and cumbersome scan-and-poll-based mechanisms reduce the ability to effectively prioritize and respond to the most critical vulnerabilities.
  3. Silos of teams and tools. Security teams and IT operations are typically siloed, leading to fragmented defenses that are slow respond.

A Better Path Forward: Five Steps Toward Effective Patch Management

Fortunately, these hurdles are surmountable. IBM BigFix removes these obstacles with a comprehensive solution that is purposefully built for highly distributed, heterogeneous environments. With this solution, organizations can finally see, change, enforce and report on patch compliance status in real time, on a global scale and through a single console.

1. Research

IBM tracks patch releases from OS, anti-malware and common third-party application vendors, and makes them available to users, eliminating the need for time-consuming patch research processes. Users can simply open up the BigFix console to view the latest updates and select patches for deployment.

Within 24 hours of the disclosure of the WannaCry vulnerability, BigFix had a fixlet for MS17-010, as well as previously unsupported Microsoft OSs, which were made available to all BigFix customers.

2. Assess

With BigFix, a single intelligent software agent is installed on all managed endpoints to continuously monitor and report on the endpoint state, including patch levels, with a management server. The agent also compares endpoint compliance against defined policies, such as mandatory patch levels and standard configurations. This information is especially critical during emergency patch scenarios such as MS17-010 because security analysts must rapidly quantify the overall magnitude and risk from the related exploits.

3. Remediate

Since BigFix customer servers automatically download the latest patch updates, endpoints can immediately begin to assess whether a particular patch is needed without the need for operator intervention. The endpoint agent receives the new policy and immediately evaluates the endpoint to determine whether the patch is applicable. If so, it downloads and applies the patch, reporting back success or failure within minutes.

4. Confirm

Once a patch is deployed, the BigFix agent automatically and continuously reassesses the endpoint status to confirm successful installation, immediately updating the management server in real time. This step is critical to support compliance requirements, which require definitive proof of continuous patch installation. Closing the loop on patch deployment enables organizations to ensure patch compliance in a way that is smarter, faster and much more reliable.

5. Enforce

The BigFix intelligent agent continuously enforces patch policy compliance, helping to ensure that endpoints remain updated. If a patch is uninstalled for any reason, the policy can specify that the agent should automatically reapply it to the endpoint as needed. Through the same centralized console, endpoint compliance status is reported in real time, allowing IT administrators to easily monitor the state of all managed endpoints in the organization. Administrators enjoy full control of their endpoints, enabling them to handle significantly more work than other products that require a lot of manual intervention and introduce significant time lags into the reporting process.

These five steps have enabled BigFix to deliver real and effective patch management against this massive ransomware attack and the diversity of endpoint vulnerabilities that exist today. It provides an automated, simplified patching process that is administered from a single console and delivers real-time visibility and enforcement to all endpoints, on and off the corporate network. The result is a first-pass patch success rate of more than 98 percent, the reduction of patch cycle times from weeks or months to minutes or hours, and significant cuts in operational costs.

Industry Leaders Pushing Endpoint Hygiene

While the WannaCry wreckage is splashed across news headlines, some security thought leaders are taking this opportunity to remind their clients about the importance of endpoint hygiene.

When it comes to mitigating threats such as WannaCry, CBI Cyber Security Solutions emphasized the importance of “doing things right, timely execution and using the right tools.” On the day of the WannaCry attacks, one of the firm’s customers wrote in an email:

I just wanted to let you know the help we had with BigFix for the ransomware that caused havoc today.

Our Information Security alerted us to the issue, and within minutes we had a list of servers still needing the patch and were able to quickly determine that no files were present on any server. It definitely reduced any panic we might have had.

Meanwhile, Champion Solutions Group advocated basic hygiene for all IT professionals. Dan Powers, the company’s senior software engineer, wrote, “My clients were well on their way to a good night sleep, not having to worry about the latest ransomware, called ‘WannaCry,’ by leveraging BigFix and applying good computer hygiene.”

BigFix ‘Just Works’

For two decades, IBM BigFix has provided clients of all sizes with best-in-class multiplatform solutions for endpoint detection and response (EDR), enterprisewide asset discovery, patch management, software distribution, usage analysis, configuration management, security and regulatory compliance, and more.

Thousands of clients and over 100 million endpoints later, our clients still say the same thing about BigFix: “It just works.”

To learn more, read the Forrester Research report, “The Total Economic Impact of IBM BigFix Patch and BigFix Compliance.”

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read