The National Cyber Security Centre (NCSC) stated in a blog, "patching remains the single most important thing you can do to secure your technology and is why applying patches is often described as 'doing the basics.”

They go on to explain that it’s not easy to do in practice. This is due to factors such as the time it takes, the cost, maintenance of accurate asset inventories, the risk of a patch breaking something, failed rollouts, or the inability to patch all equipment. When patching is hard, the NCSC recommends six defence-in-depth tactics to help prevent attacks, detect and respond:

  1. Reduce ways to exploit attacks through architecture and configuration.
  2. Manage your assets well (know what you have and what it's doing, and have ways of finding out when something changes)
  3. Manage your operational risks
  4. Back up your business-critical data
  5. Have a security monitoring capability, to help with problem detection and cleanup
  6. Create and practise incident response/business continuity plans

Let’s review some of these recommendations.

1. Reduce ways to exploit attacks through configuration

Secure configuration is all about reducing attacks, locking down applications, protocols, servers, etc. with hardened configurations as well as making sure you have good password complexity, and firewall rules.

Typically, operating systems and apps are configured for ease-of-deployment and ease-of-use rather than security. To prevent the exploitation of vulnerable settings and services, you need rigorous configuration management.

Start by reviewing configurations of operating systems and applications set as default on delivery by manufacturers and resellers. Once reviewed, establish and manage a minimum set of standards for security configurations. And then continue to review settings and configurations as the landscape changes. For example, after WannaCry struck, it was recommended that IT disable the SMB v1 service. Another example is the exploitation of the Remote Desktop Protocols (RDP) by the threat group SamSam. The advice in this instance is to turn off RDP if it’s not needed or strengthen password policies to prevent entry if it is used.

Use configuration management in conjunction with your patch management activity as part of your security strategy. And, to make it easy for one team to manage patching and configuration management, integrate your patch management tools with your endpoint solutions.

2. Manage your assets well

You can only patch software if you know it exists and what state it’s in. Without visibility into your assets, you can’t protect or defend your environment. It’s critical to have better insight for a better security posture.

You need a solid discovery tool to find your assets and a comprehensive IT asset management solution to track, manage, and optimize all hardware and software running on your network. Only then will you know what’s on your network and what operating systems and applications to prioritize and patch. You’ll also have better insight into devices running older operating systems or hardware that can’t receive firmware updates to make decisions to replace them.

Of course, patching won’t protect against zero-day exploits. And, if you are running legacy systems that can’t be patched or removed, you need to secure the apps. Through privilege management and application whitelisting software, you can prevent unmanaged devices from gaining access to your network and unauthorized software installing and executing.

3. Manage your operational risks

Risk can be mitigated or avoided but rarely quashed completely. Security-conscious IT organizations recognize risk and manage it accordingly.

Known vulnerabilities are still the root cause of a lot of security breaches. All it takes is one person to click on one link or rogue email attachment of one unsecured configuration. But you can't protect against every potential exploit. So, how do you focus on the right things to maximize effectiveness?

One of the ways to prioritize risk is through adherence to a well-established security framework like the Cyber Essentials, or the Center for Internet Securities Security Critical Controls which offer prioritized strategies to apply basic security controls that will mitigate and manage risk.  For risk management, use these controls to gain visibility into your critical systems, processes, and data then determine the consequences if you no longer had access or control over these systems to help prioritize your defence and protection strategy.

4. Back up your business-critical data

Backing up data is just common sense. How many times have you held your head in your hands, when you’ve been writing a report or working on a long and involved spreadsheet, and your system has crashed, and the document is unrecoverable? Now imagine if you can no longer access all your business-critical data because it’s held to ransom.

We talked about asset and risk management to identify, prioritize, and protect critical systems; the same strategy applies to your data. You cannot and do not need to back up every piece of data your organization produces. You need to identify business-critical data that your organization cannot function without. Also, any data covered by regulations such as GDPR and the systems on which it resides. Effectively manage and patch the systems that house this data and back up the data on separate systems and in a separate location to avoid horizontal movement by malware should it gain a foothold in your systems.

5. Have a security monitoring capability, to help with problem detection and clean up

In today’s cybersecurity landscape, continuous monitoring and real-time assessments of user and application behaviour are crucial to a cybersecurity plan.

Security monitoring starts with knowing what’s on your network. We talked about discovering and managing devices and applications earlier. When devices aren’t running the latest application or operating system updates, they could be vulnerable to attacks. So, it’s important to monitor and understand the risks to your organization continually. You also need insight into who is running applications, who gets to run applications, and when and where they can run. Continuous scanning givess that information.

It’s also advisable that teams involved in monitoring are kept abreast of any changes in the IT environment and changes in policies such as risk management or business goals.

6. Create and practise incident response/business continuity plans

Security incidents take many forms, such as a denial of service, ransomware, misuse of privileges, or lost or stolen assets. Resolving these incidents often leads to a configuration change, a patch for a software vulnerability, or a change in policy for privileges or application/device control capabilities.

Security Incident plans should define what is considered a security incident and categorise them so that the response is appropriate to the level of risk.

When you identify a security incident, do you have the means to respond to and remediate it directly? If a security incident occurs, you should be able to isolate an infected system, re-provision a system that was ransomed, or couldn’t be cleaned and apply configuration changes to resolve security vulnerabilities as part of your Security Incident Management plan.

A comprehensive plan includes roles and responsibilities across the organization. It defines the data to record to deal with an incident and to evaluate the response. Staff should be trained on how to deal with an incident, and the plan needs to be tested regularly and improvements made.

Your Defence-in-Depth

Here at Ivanti, our defence-in-depth solutions focus on security basics that raise the highest barriers against real-world attacks. And security starts with patch management. But your patch management will only be as effective as your discovery and asset management.

Your end goal should be to have visibility into your entire enterprise to discover and manage all your hardware and software, swiftly pinpoint and remediate security concerns.

Let us help you increase your organization’s security posture. Get insights from Ivanti experts, our customers, and industry analysts like Gartner and Forrester. Browse our IT asset management, security site, and configuration management content.