Data Center Servers – When a Patch in Time Saves Nine
A patch in time saves nine; the title of this blog is borrowed from an English proverb – a stitch in time saves nine. Stitch a hole or tear as soon as you discover it to prevent the hole from becoming more significant and needing even more work to fix it. As software patch management goes, that’s pretty good advice.
And I know you already do all you can to keep end-user system software up to date and secure. But can you say the same about all the servers in your data center? When threat actors are continually probing systems to identify what they can compromise to infiltrate your environment and access sensitive data or spread wide to other systems to form an attack, it’s a question you need to be able to answer yes to at any given moment.
Patch Management in Data Centers
The complexity of patch management in data centers is different than patching end-user machines. Maintenance windows are generally much shorter. Multiple configurations mean many are straining to keep server software up to date with the latest software patches and updates for operating systems and third-party applications, such as Microsoft Windows® and VMware vSphere® Hypervisor systems.
However, BlueKeep’s exploit of a common vulnerability in the data center in May 2019 was a stark reminder of the need to keep data center server patching top of mind. BlueKeep was a remote code execution vulnerability that enabled attackers to use Microsoft’s Remote Desktop Services to attack unpatched computers running older versions of Windows, Windows XP, Windows 7, Windows Server 2003, and Windows Server 2008. To make matters worse, BlueKeep is wormable; once it exploits one vulnerable system on the network, it can propagate to others giving attackers almost unlimited access. At the time, Microsoft even took the unusual action of releasing patches for versions of Windows that are no longer supported.
Has it changed anything? If I bet a dollar for every un-patched server available, I’d be sitting on a beach in Hawaii. Meanwhile, security and ops teams around the world will be stitching late into the night when the next harmful exploit appears. Reportedly, in October, there were 700,000 public-facing systems (excluding those behind firewalls) running RDP that were still vulnerable to BlueKeep.
Even if organizations take the time to patch physical servers, we know that virtual servers are sometimes overlooked. This oversight leaves the business exposed and ignorant of the risk. It’s understandable to a point. Waiting for virtual machines (VM) to boot up, patch, and then power down costs time and budget. But, whether a system is on the network or disconnected, patch compliance and delivery of software updates is a necessary step to stay ahead of attackers. Consider also templates. Many data centers run VMware, but how many patch templates in vSphere more than once or twice a year? How much more efficient would it be to patch templates in-line with production solutions. When a new server spins up, it will meet your production baseline already.
Keep Your Organization Secure
With many organizations relying on manual processes and juggling different tools for patching Windows and Linux, the management complexity grows. And that leads to added time to patch, with more points of potential failure, and generally greater risk in the data center. Yet the time it takes to discover, define, deliver software-update packages, and apply patches is critical in defeating attacks. Historically, 50% of vulnerabilities are exploited within a window of two to four weeks from release. It took fourteen days from the time that CVE 2019.0708, the BlueKeep vulnerability, was made known with the availability of an update to a confirmation that a full exploit had been achieved. Make no mistake; it’s a race to beat the threat actors. Patching all your servers, hypervisors, and templates in a timely, accurate, and controlled manner from one patch management system will give you a head-start.
If the thought of introducing another agent and adding another potential point of failure leaves you cold, or, adding more monitoring tasks to overwhelmed staff is impossible, think agentless. Agentless tech can discover, detect, and present what needs doing solving the problem of treating all your systems equally. Patch your offline virtual machines (VMs) in conjunction with online VMs and physical servers, all in an automated way, and without adding to your footprint.
Earlier, we talked about the complexity within your data centers. That manifests in many ways, from the configuration of your servers to constraints on execution, such as the need to reboot in a specific order. To save time and money while ensuring the entire data center environment is protected, aim to automate every part of the server patching process. Through automation, build-out checklists by scripting complex workflow steps to support the patch management process. Scan for missing patches and deploy patches across the entire environment on client workstations, physical servers, virtual servers, hypervisors, and templates.
Ensuring that you are patching all your servers no matter what their status or operating system, as well as hypervisors, and templates in the data center in a timely and precisely controlled manner is your defensive “stitch” to keep your organization protected and its reputation intact against attackers seeking to compromise systems.
Did you know “a stitch in time saves nine” is an anagram for “this is meant as incentive,” so what are we waiting for?