Nation-State Attacks Force a New Paradigm: Patching as Incident Response

Nation-State Attacks Force a New Paradigm: Patching as Incident Response
IT no longer has the luxury of thoroughly testing critical vulnerability patches before rolling them out.

Patching security vulnerabilities has always been the most important security activity an IT team does. For the 25+ years I've spent in security, keeping systems up to date with security patches has been recommendation No. 1 in any set of IT best practices. And during most of this time, we have had the luxury of patching at our own pace.


We've agreed that 30 days to apply patches is the standard of good practice and that the IT team should expedite applying critical severity security patches. But now, after a three-month period when zero-day exploits were identified for SolarWinds, Accellion, Exchange, Chrome, iOS, Android, BIG-IP, and more, and with 11 zero-days identified in just one week, we must accept the reality that the old best practices are just not good enough anymore.


Every time we begin the next wave of incident responses (IRs) after each zero-day exploit is identified in the wild, we send out urgent messaging to help address these critical emerging threats. And the primary thing I've said over and over again is that any security patch for a zero-day or that addresses a critical severity vulnerability must be treated as a Level 1 security incident.


Because the bad actors know that most organizations do not patch faster than 30 days, and a huge number do not patch well at all, it's open season for the nation-states and their criminal advanced persistent threat (APT) groups to literally lay waste to wide swaths of industry and government. Our current approach to address these threats is failing in epic fashion right before our eyes.


Why It's Better to Risk ..