Don’t Compromise Security For Business Continuity This Patch Tuesday

By   Chris Hodson
CISO , Tanium | Sep 08, 2020 11:41 am PST

By the time UK CISOs encounter this month’s Patch Tuesday many organisations will have been working from home for almost 6 months. The shift of the UK workforce to indefinite remote working has created the combined challenges of VPN bottlenecks, a surge in unprotected endpoints, and remote working stresses that threaten to expose corporate assets to elevated cyber risk. 

In this unique climate, endpoint visibility and control are crucial for security leaders fighting to manage risk whilst supporting business continuity.

Patching problems

Even before lockdown, Patch Tuesday was becoming increasingly fraught for many organisations. Digital transformation is expanding the corporate attack surface and escalating IT complexity, while attackers are getting smarter at exploiting bugs. 

COVID-19 has pushed these challenges to the limit, as mass home working creates and compounds critical visibility gaps. In fact, our research revealed that 85 percent of business leaders thought they prepared to manage the shift to widespread working from home. Despite the majority feeling confident they could face new security challenges, 98 percent revealed that they faced security challenges in the transition to a distributed workforce. All this has increased the pressure on IT teams to prioritise specific vulnerabilities and endpoints, without impacting productivity or interrupting business-critical services. 

Conflicting priorities

The CISO’s first priority should be to improve basic IT hygiene via prompt patching of all critical assets, which itself is predicated on gaining visibility and control across the IT estate. Yet the COVID-19 working environment has meant these efforts are being complicated not only by visibility gaps, but also conflicting IT priorities.

In most cases, this boils down to the critical strain VPN infrastructure is under. The priority for all business users is to seamlessly access the apps they need to do their jobs. But VPN concentrators are saturated and network bandwidth is at peak capacity now thanks to the spike in home working. Going from just 15-20% of the workforce using VPNs sporadically to 95% of them online all day long, remote access infrastructure is under immense pressure. 

Unfortunately, much of the extra strain is down to the security function, whose controls in many organisations are delivered through appliances in the datacentre; only accessible via VPN. Under pressure from CIOs to take the load off VPNs, CISOs must, therefore, make difficult decisions about how to continue managing risk whilst supporting productivity at a time of crisis. Split tunnelling is one option, allowing home users to do as much work via the open internet as possible. But it carries extra risk if you’re not sending that employee traffic via the IDS/IPS, proxy services and malware sandboxing in your datacentre. 

At the same time, security professionals themselves are in the same boat as most of their colleagues, subject to the stresses of working from home as kids run around. It might be a very different working dynamic to the collaborative, face-to-face office team structures they’re used to, which will take some getting used to.

Visibility and control

Some CISOs may hope to stick to the same policies and standards, and risk tolerance, as they had prior to COVID-19.  But this aspiration will eventually come up against the new reality of running IT during a pandemic. Facing such extreme circumstances, the security function is in danger of being marginalised. With the UK now very much amidst a recession, the bottom line is that there’s no IT security if there’s no business. 

So, what is the way forward? No-one planned for this eventuality. Even the most rigorous business continuity modelling could not have predicted that patches would need deploying on this scale to home working endpoints, or that VPN links would already be saturated. And mapping architecture and data flows is hard to do retroactively when there are major IT fires that need fighting elsewhere.

What CISOs can do, however, is to think about tools that will shine a light on the IT endpoint estate. These should provide a comprehensive list of all computer and data assets, and critical information on which machines are vulnerable at a specific moment in time and where they are located. This will not only enable CISOs to prioritise remediation, but also understand which apps and data stores need secure VPN connections. Some endpoint management platforms will even deliver patches without needing to travel down VPN tunnels, avoiding the potential nightmare scenario many organisations may find themselves in this Tuesday.

In time, COVID-19 may even be seen as a tipping point for Zero Trust models which do away with VPNs altogether. As organisations migrate more critical services to the cloud, the concept of “never trust, always verify” has become an increasingly popular way for the enterprise to support flexible working while minimising cyber risk.

Don’t let security standards slip

The risk when this is all over is that the genie will be hard to put back in the bottle. Under pressure from their CISOs, security leaders will have to continue fighting their corner to ensure that practices like split tunnelling don’t become the norm. This will be even more difficult to do if the organisation has been lucky enough to remain breach-free for the duration of the lockdown. With workers beginning to filter back into the office, senior executives may mistakenly believe a return to more secure policies is not needed. In fact, in some circumstances they may even divert funds longer-term to areas of IT which were affected more viscerally during the crisis.

However, with a focus on IT hygiene, visibility and control, CISOs can find a way through these difficult times, and build a secure foundation for the future.