This title is taken from a proverb: one point made in time saves one hundred. Make a stitch to stitch up a hole as soon as you discover it, to prevent it from getting bigger and much harder to close.
You’re probably already doing everything you can to keep your end-users’ system software up-to-date and secure. But can you say the same about the servers in your data center? Hackers are constantly inspecting systems to identify elements that can be exploited to infiltrate your environment, thereby gaining access to sensitive data or spreading their attack to other systems. The answer to the question should therefore be “yes”, all the time.
Patch management in data centers, complex but essential
Patch management in data centers is complex and differs from that for end-user terminals. In general, maintenance windows are much shorter. With multiple configurations, many data centers struggle to keep server software up-to-date with the latest patches and updates from operating systems and third-party applications, including Microsoft Windows systems and VMware vSphere hypervisors.
However, BlueKeep’s exploitation of a common data center vulnerability in May 2019 served as a stark reminder that patching data centers should be a priority. BlueKeep exploits a remote code execution vulnerability, which allows hackers to exploit Microsoft’s Remote Desktop Services (RDP) to attack unpatched computers running older versions of Windows, such as Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008.
Even worse: BlueKeep can become a worm. Once it has exploited a vulnerable system on the network, it can spread to others and give hackers almost unlimited access. At the time, Microsoft had even taken exceptional measures, releasing patches even for versions of Windows that were no longer supported.
Did it make a difference? Not really, the servers on which these patches have not been deployed are still so numerous… Meanwhile, security and operations teams around the world are “sewing” late into the night with each new malicious operation. According to reports, as of last October there were 700,000 systems in contact with the public (not to mention those behind a firewall) running the Remote Desktop (RDP) while still vulnerable to BlueKeep.
And while companies take the time to apply patches to physical servers, virtual servers are sometimes forgotten. This omission makes the company both vulnerable and unaware of the risks involved. It’s understandable, to a certain extent. Waiting for virtual machines (VMs) to start, receive the patch, and then shut down is time consuming and expensive. However, whether a system is on the network or offline, complying with patches and distributing software updates are necessary operations to catch speed hackers.
Also think about the models. Many data centers use VMware, but how many apply patches to models in vSphere more than once or twice a year? It would be so much more efficient to apply the patches to the models at the same time as the other solutions. So when a new server starts up, it already meets your reference criteria.
Responsiveness is key to securing your business
Many companies rely on manual processes and juggle multiple tools to apply Windows and Linux patches. This makes management all the more complex. Patches take longer to deploy, potential points of failure multiply and, more generally, the data center runs more risks.
However, the time it takes to discover, define and distribute software update packages, as well as to apply patches, is critical to fighting attacks. Typically, 50% of vulnerabilities are exploited within two to four weeks of their release. For the CVE 2019.0708 (BlueKeep vulnerability), it took only 14 days from the release of an update for its exploitation to be noticed. Make no mistake: fighting pirates is a race against time. Applying patches to all your servers, hypervisors and templates as soon as possible, accurately and controlled by a patch management solution, gives you a head start.
If the thought of introducing another agent and thus adding a potential point of failure worries you, or if it is impossible to assign new tasks to already overwhelmed teams, try it without an agent. The agent-free technique allows you to discover, detect and indicate the necessary operations, so you don’t have to treat all your systems the same way. Apply patches to your offline virtual machines (VMs) at the same time as online VMs and physical servers, fully automatically, without increasing your footprint.
Complexity at the data centre level manifests itself in different ways. This ranges from the configuration of your servers to execution constraints, such as the need to restart them in a specific order. To save time and money, while ensuring that your entire data center environment is protected, the goal is to automate every element of the server patching process. With automation, you can write checklists by scripting complex workflow steps, thus facilitating the patch management process. Find missing patches and deploy them across your entire environment, across client desktops, physical and virtual servers, hypervisors, and templates.
By ensuring that all your servers receive patches, regardless of their status or operating system as well as hypervisors and data center models, quickly and accurately, you can “fix the glitch” and protect your business and reputation from hackers who seek to compromise your systems.