We’ve all heard it before, “Just patch all the things and you’ll be perfectly fine” and there’s a lot of truth to this statement; it’s also extremely shortsighted. If you’re working in a large enterprise or an organization that uses unique equipment for business functions it’s almost impossible to follow the “patch all the things” mantra. Mostly, because there aren’t available patches or the systems have become unsupported. At CCSI we work with some of the world’s largest organizations and in doing so we’ve noticed that patching isn’t always an option, even though we recommended it as a priority, to some systems on the network. Here are few areas we recommend when patching isn’t an option.
The first suggestion we always recommend is to have these systems segmented from the rest of the population. These systems need to be placed in an isolated network segment in order to contain the blast radius if they were to ever be compromised. Having systems on your network without the ability to be patched creates a landscape of attack that can be used to pivot towards other assets on the network. It’s for this reason that they require layer 3 or 7 filtering, which will eliminate that direct access to these risks on your network. Depending on your architecture this can include network changes to VLANs, firewall rules, NAC, etc. The goal with this recommendation is to lay the groundwork to have tightened network security with “need to know” access.
After network segmentation, or in tandem, we recommend focusing on the host in question to lock down the endpoint or application. Are these systems able to run endpoint software that allow for whitelisting applications or host based firewalls? We’re looking to take this recommendation down a layer to the endpoint itself and determine if there are policies or configurations that can be made to tighten how access and applications can be run on the endpoint themselves.
Lastly, implementing log and traffic analysis for these systems is needed to determine if there are security attempts against them. By utilizing the logs of the endpoint and the network to correlate attack traffic is important. Any systems capable of ingesting these log types, NTA or SIEM, can increase the priority of alerting based off the vulnerability of the endpoint. This is important when these system are extremely vulnerable to attack and can lead to pivot point to other areas in your organization.
Having these suggestions laid out has assisted clients who don’t have the ability to patch their systems to continue business by applying compensating controls. This in many cases is a band-aid until additional funding or updates take place, but for others this becomes a method of moving forward with systems that can’t be patched. Adding these systems to your risk register and applying additional security around them is the best way to increase visibility and transparency about these risks to management and decisions makers.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org