The Ponemon Institute’s Third Annual Study on the State of Endpoint Security Risk has some concerning findings.
Zero Days & AV blind spots
- 80% of end-point attacks involved a zero-day. (A zeroday, or 0day, is a vulnerability that is unknown to the software manufacturer)
- Zero-day attacks are expected to increase 42% in the next year
- Anti-virus missed 60% of the attacks.
These stats paint a bleak picture of organizations facing more novel attacks with AV solutions that are noisy and missing most of the attacks.
If you are still using traditional AV it isn’t enough. It hasn’t been for a long-time. Look to more comprehensive solutions and consider adding Endpoint Detection & Response (EDR) to your security stack.
Solutions I admire/recommend
- Microsoft Defender + ATP – Note that this same study found that 80% of respondents were moving to this solution. “Most organizations either use or plan to use Microsoft Windows Defender antivirus solution. Eighty percent (80) of respondents say they currently have (34 percent) or plan to have in the near future (46 percent) the Microsoft Windows Defender antivirus solution. The top two reasons are to reduce the number of separate endpoint security tools and the solution is on par with other antivirus tools”
- Sophos Intercept X
- Crowdstrike Falcon Endpoint Protection
- Carbon Black Endpoint Standard
Patching, Patching, Patching…
“The average time to apply, test and fully deploy patches is 97 days.”.
Yikes, that is about 87 days too long for most organizations. Yes, you should test patches before deployment to avoid production issues. That’s certainly best practice, but here in the real world most organizations haven’t funded adequate test beds or invested the time to establish effective testing routines.
The risk/reward trade-off for waiting to deploy critical or high security patches is being continually shifting to the risk side of the equation. Said another way, Not deploying a security patch is a bigger gamble every day. When patching is delayed you are not fighting against ZeroDay exploits but rather 30day, 60day, etc… Gamble in Vegas, not on patching.
Practical Patching Suggestions
- Be aware of patches – Subscribe to US-CERT Bulletins, Alerts, & Activity. It’s a clearing house for 95% of the important/critical patches.
- Have a good fall-back plan – In the absence of robust testing make sure to coordinate backup routines to ensure you have the most recent snapshot to roll-back to. Test your procedures/tools for uninstalling a patch or rolling back to a snapshot.
- Communicate to workforce – Let them know what is being patched. If they notice an issue and are aware of a recent patch they are more likely to report it. This also applies to your Helpdesk. They need the context to associate a potential problem with a recently deployed patch.
- Microsoft Patches – Try to wait at least 1 day before deploying the patch. Check /r/sysadmin‘s patch tuesday megathreads to get an idea of any issues. I’m also a fan of Randy Smith’s Patch Analysis.
- Visibility is Everything – It is crucial to have a tool that is reporting on patch status across your organization. You can’t patch what you can’t see. These tools can range from WSUS and RMMs up to Vulnerability Managment platforms that routinely scan and report vulnerabilities. Have something in place. Don’t assume.
This report was published in Jan 2020, pre-COVID19 so take that into account. It was sponsored by Morphisec, so thanks to them for sponsoring research. You can read the full report and browse other research and reports on my Reference Repo