On Friday, a group of unknown threat actors carried out one of the largest cyberattacks of its kind, which infected hundreds of thousands of computers in 150 countries. The ransomware, known as WannaCry, exploits a Microsoft Windows OS vulnerability that was patched in Microsoft’s Security Bulletin two months ago. The universal advice was straightforward: Update your Windows systems to include the latest patches to prevent attacks.

The idea of employing basic endpoint hygiene to keep your data safer seems simple, so why has WannaCry been so damaging? The answer may lie in the hidden complexities found in effective patch management.

The Patch Management Conundrum

The nuances of effective patch management run much deeper than simply having a system administrator push out patches or relying on inconsistent vendor-supplied mechanisms. Because of organizational silos, it takes most IT departments weeks or even months to deploy patches throughout their highly distributed environments. In fact, it can take organizations several months to even come close to achieving complete patch compliance.

The patch management conundrum raises questions that many organizations may find difficult, if not impossible, to answer. For example:

  • How should an organization deploy critical out-of-band patches, such as MS 17-010, that arrive urgently and off the routine patch schedule?
  • How can system administrators keep track of patches in an environment with thousands or hundreds of thousands of highly distributed endpoints running a variety of operating systems (OSs) and applications?
  • How long will the patching process take from start to finish, and how will system admins confirm that every endpoint in their infrastructure remains properly patched?
  • How can patches be deployed without interfering with the end-user experience and productivity?

The inability to address these fundamental questions is a key reason why attacks such as WannaCry are successful, even when there is a patch available. Most endpoint tools are challenged to address these kinds of attacks in three very important ways:

  1. Insufficient visibility. Incomplete visibility provides poor context to discover and report on the current state of all endpoints (including unmanaged ones), especially in highly distributed environments.
  2. Sporadic endpoint hygiene. Manual processes and cumbersome scan-and-poll-based mechanisms reduce the ability to effectively prioritize and respond to the most critical vulnerabilities.
  3. Silos of teams and tools. Security teams and IT operations are typically siloed, leading to fragmented defenses that are slow respond.

A Better Path Forward: Five Steps Toward Effective Patch Management

Fortunately, these hurdles are surmountable. IBM BigFix removes these obstacles with a comprehensive solution that is purposefully built for highly distributed, heterogeneous environments. With this solution, organizations can finally see, change, enforce and report on patch compliance status in real time, on a global scale and through a single console.

1. Research

IBM tracks patch releases from OS, anti-malware and common third-party application vendors, and makes them available to users, eliminating the need for time-consuming patch research processes. Users can simply open up the BigFix console to view the latest updates and select patches for deployment.

Within 24 hours of the disclosure of the WannaCry vulnerability, BigFix had a fixlet for MS17-010, as well as previously unsupported Microsoft OSs, which were made available to all BigFix customers.

2. Assess

With BigFix, a single intelligent software agent is installed on all managed endpoints to continuously monitor and report on the endpoint state, including patch levels, with a management server. The agent also compares endpoint compliance against defined policies, such as mandatory patch levels and standard configurations. This information is especially critical during emergency patch scenarios such as MS17-010 because security analysts must rapidly quantify the overall magnitude and risk from the related exploits.

3. Remediate

Since BigFix customer servers automatically download the latest patch updates, endpoints can immediately begin to assess whether a particular patch is needed without the need for operator intervention. The endpoint agent receives the new policy and immediately evaluates the endpoint to determine whether the patch is applicable. If so, it downloads and applies the patch, reporting back success or failure within minutes.

4. Confirm

Once a patch is deployed, the BigFix agent automatically and continuously reassesses the endpoint status to confirm successful installation, immediately updating the management server in real time. This step is critical to support compliance requirements, which require definitive proof of continuous patch installation. Closing the loop on patch deployment enables organizations to ensure patch compliance in a way that is smarter, faster and much more reliable.

5. Enforce

The BigFix intelligent agent continuously enforces patch policy compliance, helping to ensure that endpoints remain updated. If a patch is uninstalled for any reason, the policy can specify that the agent should automatically reapply it to the endpoint as needed. Through the same centralized console, endpoint compliance status is reported in real time, allowing IT administrators to easily monitor the state of all managed endpoints in the organization. Administrators enjoy full control of their endpoints, enabling them to handle significantly more work than other products that require a lot of manual intervention and introduce significant time lags into the reporting process.

These five steps have enabled BigFix to deliver real and effective patch management against this massive ransomware attack and the diversity of endpoint vulnerabilities that exist today. It provides an automated, simplified patching process that is administered from a single console and delivers real-time visibility and enforcement to all endpoints, on and off the corporate network. The result is a first-pass patch success rate of more than 98 percent, the reduction of patch cycle times from weeks or months to minutes or hours, and significant cuts in operational costs.

Industry Leaders Pushing Endpoint Hygiene

While the WannaCry wreckage is splashed across news headlines, some security thought leaders are taking this opportunity to remind their clients about the importance of endpoint hygiene.

When it comes to mitigating threats such as WannaCry, CBI Cyber Security Solutions emphasized the importance of “doing things right, timely execution and using the right tools.” On the day of the WannaCry attacks, one of the firm’s customers wrote in an email:

I just wanted to let you know the help we had with BigFix for the ransomware that caused havoc today.

Our Information Security alerted us to the issue, and within minutes we had a list of servers still needing the patch and were able to quickly determine that no files were present on any server. It definitely reduced any panic we might have had.

Meanwhile, Champion Solutions Group advocated basic hygiene for all IT professionals. Dan Powers, the company’s senior software engineer, wrote, “My clients were well on their way to a good night sleep, not having to worry about the latest ransomware, called ‘WannaCry,’ by leveraging BigFix and applying good computer hygiene.”

BigFix ‘Just Works’

For two decades, IBM BigFix has provided clients of all sizes with best-in-class multiplatform solutions for endpoint detection and response (EDR), enterprisewide asset discovery, patch management, software distribution, usage analysis, configuration management, security and regulatory compliance, and more.

Thousands of clients and over 100 million endpoints later, our clients still say the same thing about BigFix: “It just works.”

To learn more, read the Forrester Research report, “The Total Economic Impact of IBM BigFix Patch and BigFix Compliance.”

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…