Marshall Jones, Director of Managed Services Development
At the end of each quarter, Kaspersky Labs releases their “IT Threat Evolution” report which is an analysis of vulnerabilities and the malware that exploit these vulnerabilities. This report is used industry wide to get insight into how vulnerabilities are being exploited to allow malware into your network. There was something unique about this quarter’s report though – not a single Microsoft vulnerability made it onto the entire 17 page report. The last line reads almost as an explanation to Microsoft’s absence from the report, “This is because the automatic updates mechanism has now been well developed.”
This report underlines the fact that Microsoft is no longer the bad guy in the vulnerability game. Third party applications like Java, Adobe Flash, Adobe Reader, and QuickTime have quickly surpassed Microsoft, consistently being the predominant players in the Top 10 list. These four applications make up 70% of last quarter’s top vulnerabilities, Java holding the top 2 spots. In fact, 56% of the exploits seen in the 3rd quarter of this year attacked Java vulnerabilities alone. These are staggering statistics, especially when you consider that many of these applications have become critical in day to day business in the financial industry. We, as financial IT industry experts, have to use these numbers as a tool; a guide to know which products should be prioritized to update and that those updates are absolutely critical to get deployed in a timely fashion to remain secure.
Unfortunately, this is easier said than done. Ensuring patches are kept up to date on just these four third party products, that independently release updates, can be a daunting task. Typically, they don’t have a standard release cycle and have no method of pushing out patches to large numbers of machines, let alone reporting on the results of that rollout. Manually keeping these disparate applications up to date, secure, and done in a timely fashion on anything more than a handful of machines is not realistic. An automated patching solution is required to keep these applications in check.
Since vulnerabilities, and the patching of those vulnerabilities, play such a vital role in the financial IT industry, it’s best to keep a close eye on trends in this space. A few years ago, my team noticed the trending away from Microsoft vulnerabilities, and began working on a solution to keep these third party applications up to date. We recognized that we needed a solution that could quickly update multiple third party applications, on tens of thousands of machines, and we needed to be able to provide reports on the results. This wouldn’t be easy though; there’s a dizzying array of financial industry hurdles we would have to overcome, ranging from complex firewall, proxy, and IPS systems to low bandwidth, local permission limitations, and machine specific application exclusions. You soon realize what a challenge it is to build a reliable automated patching solution. We took the task head on though, and after extensive research and development, our Critical Application Patching Service (CAPS) was born.
CAPS has been phenomenally successful for our financial institution (FI) clients since its introduction over a year ago. After just one month, we saw malware incidents drop by as much as 90% with many of our clients. The amount of time saved from the reduction in malware is difficult to quantify, but on average CAPS saves eight hours a month per client by automating just the patching side of the problem. On top of that, there’s nothing to prepare for the examiners, just hand over the CAPS report, which gives the third party patch compliance status of every machine on the network. Patching these applications is now an afterthought for our CAPS customers; it’s all being handled behind the scenes.
We were able to solve this problem by architecting our own reliable solution, but too many FI network administrators are still content with only installing Microsoft patches and a Java update every so often. The reality is, if you haven’t started figuring out how you’re going to truly manage these third party patches in an automated fashion, not just install patches here and there, you’re not only wasting your time dealing with malware, you’re also leaving your network incredibly vulnerable. The tide has fully turned; it’s time to recognize that Microsoft is now the least of your worries.