In prepared testimony for this week’s congressional panel on the Equifax breach that led to the theft of personal information of more than 145 million people, former CEO Richard Smith said the breach was the result of an unpatched Apache Struts software vulnerability within the company’s online disputes portal. According to Smith, Equifax did in fact receive notification of the vulnerability first from U.S. CERT and then from their own scans months earlier but neither alert prompted a fix by the IT security team.
Ouch. The fallout from this has already imposed sweeping executive change, from the CISO to the CEO, and more action is certainly on its way.
But let’s be honest. As security practitioners, we’ve all delayed an update or two. New vulnerabilities seem to crawl out of the woodwork daily and it’s difficult, if not downright impossible, to keep up with the volume of needed patches and updates, especially when you consider tight budgets and insufficient head count. But, as we read every week in the news, failure to patch and update is a risky bet. Lack of bandwidth may be a justifiable reason, but it can’t be our excuse.
Traditional, manual approaches to endpoint security compound the problem and lead to the neglect of basic maintenance such as patching. We recently teamed up with the Ponemon Institute for our annual look at The Cost of Insecure Endpoints and found typical security and IT teams spend an average of 1,156 hours per week to manually assess, manage and secure endpoints. Furthermore, 75% of respondents said they aren’t keeping up with patching.
While there isn’t a single silver bullet for organizational security, there are important steps to prioritize. Because you can’t patch what you don’t know you have, respondents to the study ranked automation a critical component to maintaining both visibility and control over endpoints. Not only will more needed updates get made this way, therefore improving security posture, it could also save organizations a lot of money. According to this study, $3.4 million would be saved per year in part because teams waste an average of 425 man-hours each week chasing false negatives and false positives.
Equifax is but one example in a sea of missed security patches. Every victim of WannaCry ransomware are many others are more recent case-in-points. Unfortunately, this problem isn’t going away anytime soon.