The recent successful ransomware attacks – WannaCry in May and Petya this week – point to the large disconnect between IT operations, responsible for endpoint management (including patching), and Security groups, responsible for preventing malicious attacks against the organization.
For years, security researchers at Gartner and elsewhere have been pointing out that well over 90% of malicious attacks use common vulnerabilities and can be prevented by keeping system patches up to date. Yet, the patching process is obviously lacking and failing.
The WannaCry and Petya attacks are perfect examples of this phenomena. The critical Microsoft MS17-010 patch, that prevents use of the ETERNALBLUE exploit that WannaCry and Petya used, was released March 14th 2017, which is some two months before the May 12th Wannacry outbreak.
I have to think (hope?) that Security departments at most victim organizations were aware of all this — if not when the Microsoft patch was released, then a month later when the Shadow Brokers gang noisily released the exploit.
Nonetheless, it’s obvious that staff responsible for patching endpoints either were;
- not aware of the threat,
- did not take the threat seriously or
- had no way to properly prioritize this patch amidst their heavy workload.
The root cause of falling victim to these devastating ransomware attacks lies within organizational processes and is not due to some endpoint security software failure (although certainly that can be a secondary cause).
- IT operations and Security are typically separate buying centers under separate organizational management
- IT operations is not motivated to implement strong security controls
- Security departments don’t have the technical power to implement patching.
- They also don’t usually have detailed information on which endpoints are in most need of the patching.
How to address and solve this dangerous disconnect?
- At a minimum, security teams need good IT hygiene information so they can tell immediately which endpoints are vulnerable and which need to be patched.
- They can then convey the specific information to the IT operations team, to help them prioritize and potentially reduce the scope of their patching efforts.
- Optimally, IT operations should come up with patching processes that equally satisfy organizational needs for both system stability and improved security.
Like most serious security issues, this isn’t a technology issue – it’s a process and people issue.