Security incidents involving zero-day vulnerabilities – those dreaded flaws for which no fix is yet available – are making headline news. Yet the truth is that zero-day exploits account for only a small fraction of the attacks against production systems. More often than not, major breaches are the result of systems not being up to date with security patches. When hackers discover a vulnerability, they’re able to set up systems that automatically attempt to exploit it. Until recently, there was no analogue automated defense system; with self-driving security, we can equalize that imbalance.
This is a problem that needs solving, urgently. It’s astonishing that our industry hasn’t addressed this critical flaw with our systems. As consumers, we are accustomed to automated updates to our mobile devices’ OS and to our browsers, but as admins and operations professionals, we still rely largely on an error-prone and often delayed manual process to update our servers. This leaves us open to attack and as more and more devices go online, the security implications for the Internet at large become truly alarming.
The Mirai botnet, for example, exploited known vulnerabilities in thousands of home routers and connected devices to launch a series of massive distributed denial-of-service (DDoS) attacks against high-profile websites. It’s estimated that there are hundreds of thousands of such vulnerable devices out there still – and in many cases, their owners 1) wouldn’t know when their devices’ software had an available update, and 2) wouldn’t know how to apply a security patch if one were available.
Any delay between when a patch is published and when it is put into production represents a window of opportunity for attackers. Reducing this delay is an essential step toward securing the internet, but even enterprises with dedicated, professional IT security teams often are not equipped to immediately respond to the latest vulnerability. One solution which, while unorthodox, is proving to be effective, is to take the matter out of IT’s hands and slam the window of opportunity shut by applying patches and software updates automatically.
The major web browsers have shown how safe, effective, and efficient automated updates can be. Confronted by a seemingly never-ending stream of web exploits – ranging from cross-site scripting to header injection, session hijacking, and beyond – Google, Mozilla, and others realized that the only way to keep browser users safe is to make the browser patch itself and lift the burden off of the user.
Traditional IT admins may balk at this concept, at least initially. We’ve all heard stories of a faulty patch leading to downtime for mission-critical systems. Long-standing practices dictate that no patch can be installed before it’s thoroughly tested and vetted by the security team. But when implemented in a rational, well-thought-out way, automated updates are really the best way forward in today’s IT landscape, for a number of reasons:
Automatic updates close a hackers’ window of opportunity. It can’t be stressed enough that when it comes to security, time is critical. The moment a vulnerability is identified or when a patch is published, the whole world is effectively made aware that un-patched systems exist, waiting to be exploited. Opportunistic hackers will leap on that opportunity. With automatic updates your infrastructure is patched as soon as the fix is available, closing the gap of time for a hacker to take advantage of the vulnerability.
Automatic updates enable scale. Updating a handful of servers manually may be feasible. But today’s IT organizations are increasingly turning to high-volume, scaled-out infrastructure that’s partly modeled after the “hyper-scale” web companies. Even with a patch automation system, rolling out patches to hundreds or thousands of systems from a centralized source can be cumbersome. With automated updates, this process no longer requires manual intervention to successfully complete.
Automatic updates are admin-friendly. IT automation isn’t about putting people out of work. It’s about becoming more efficient, which frees up IT staff to concentrate on projects that create value for the organization rather than focusing on the rote drudgery of systems maintenance. Whether updates are automatically initiated or not, the automation of updates eliminates the technical debt typically associated with the manual process, introducing these efficiencies.
Automatic updates aren’t risky. Bad patches are always a possibility, but automatic updating doesn’t mean flying blind. In the self-driving security model, as with modern web browsers, multiple release channels give admins time to test patches in beta before deploying them on a large scale. In the worst-case scenario, rollback mechanisms are available to undo a defective patch until a replacement arrives.
Automatic updates are critical and are here now. Self-driving security is feasible today because IT infrastructure itself has evolved. Containerization, for example, separates application dependencies from the underlying OS, making it easier to update the OS without disturbing the applications or to update one application without disturbing the others. IT and security teams should embrace these and other modern data center technologies to help reduce the security risks inherent in legacy IT systems and processes.
Ultimately, securing the Internet is a responsibility we all share. Operating un-patched, vulnerable systems doesn’t just threaten your organization’s own security. Your vulnerable systems could also be used to launch an attack against mine, and vice versa. All across the Internet, we are all constantly being challenged by attacks of ever-increasing sophistication. The only way to beat this game of whack-a-mole is to swing a faster mallet – and that’s how automatic updating reduces exposure to vulnerabilities.
It’s time to get past the idea that automatic updates are risky, or that they can’t be applied effectively. With the pace of attacks accelerating, this outmoded way of thinking is fast becoming a non-starter. It’s the toughest problems that cry loudest for innovation. Security is a bear of a problem for all of us, and it’s time for more companies to take up the challenge, and make sure they have the best security practices in place to do their part in securing the Internet overall.