So You Think You Can Patch

[Music]

alright alright alright alright who is ready to play our game yes welcome welcome - so you think you can patch the game show that tests your security assumptions we have got a great game for you today of course I'm your host a bureaucrat with the most Alan Friedman in the US Department of Commerce and thank you yes we've got a great game for you today thank you and in our panel is as illustrious as they are boring so first starting off we've got john banger from venable who is a senior director for risk management and also still firmly believes that half-life 3 is going to be coming out anytime soon absolutely how does that inform your

views on patching I hope springs eternal excellent next we have a Kent landfill who is the director or the chief standards tech and Technology Policy strategist and he's also a llama herder in his spare time and so Ted how does that inform your views on patching excellent I should point out that Kent has been on the board for CVE for 19 years and therefore we should all ask him why he hasn't solved it yet but not least we have duo sex famous director of the duo second advisory smells like duo sex judgement free zone okay she once hacked Rob Graham and I've also seen her try to tackle Rob Graham so that should give us something how of either of those

experiences informed you of you on passion you know anytime you need to solve a security problem just tackle Rob Graham he's a good person to go to in this discussion so we're gonna start off today with a couple of easy questions and don't be worried there's to me some time for the audience to get involved later but first we looked at a bunch of industry surveys and found out that most of them were not very good so we got rid of those and then we found the honest surveys and they found that most harms to an enterprise thing on the mothers most harms for an enterprise are caused by what Kent nation-state advanced really really

persistent threats oh not afraid but I'm afraid Wendy leet hack sores of course no no you lose a point there John exploiting known vulnerabilities for which a solution exists ding-ding-ding we get three points for John on that one thank you so we're warming up here of one's knees where we're going so you know boner abilities are a problem we have the national vulnerability database just the last three months how many new entries were added to the national vulnerability database John seven no more than that all of them got close an awful lot yeah four thousand six hundred and eighty seven yes that is that's that's right and while we're while we're here I want to make sure it's well known that CB is

not a very good metric for judging the amount of vulnerabilities in this landscape why that has and I'm on the board it is one that has a history of not being able to do quite well with it from the standpoint of resources and processes but we're fixing that and we're turning it into a federated approach moving forward all right so good organizations mature organizations understand that patching is important what does patch management look like for a mature organization today ten real-time awareness of new and critical vulnerabilities that exist in your network how do you find that information out good luck all right anyone else Wendy in a mature organization continuous monitoring of network access through hot flashes and

in-between buying the you know having having that affair not being able to see the patches very clearly taking up Geritol a slightly different measure of mature oh sorry it's the excellent alright anyone else - what mature organizations can do they absolutely need to have established organizational processes to make sure there's rigor and discipline excellent anybody else on the panel what fun is that this is why maturity is overrated unless you're talking about you know adult beverages or content another answer there you go yeah I'm gonna try again so a policy enforcement at the application level which is something that a lot of organizations are trying out in conjunction with the zero trust model to say look but you you

can do what you want with your device on your own time but if you want to log into our application you got to be this tall you've got to have your software up-to-date you gotta have lock screen all that kind of good stuff so it turns around the model where you're expected to manage those endpoints and instead you rely on the user to manage the endpoint as a condition of access so they got to do the patching all right great answer now that time means that its audience participation is anyone else have something they'd like to add for what a mature organization could do to promote responsible effective patch management shut it out it's true no one doesn't

ever argue that worse communication will solve everybody just needs to shut up and then we'll get this done all right so now it's time to play top that can you top that so I would love to hear from you guys what is a patch fail story success maturity how to do things that's boring let's talk about the fails who's got a good fail story John by far the worst my wife's laptop getting bricked by an auto update I lost an entire Saturday over that entire Saturday and he was going to do something really boring on that Saturday all right can anyone top that 10 what do you got CEO for a company that was not really liked and no one

wanted to talk to him they were afraid of him so yes whose laptop got got hacked and it hadn't been patched in over two years yeah what was the CEO happy with the staff when that happened very alright can you top that I can top that I know of a real organization that for two whole years didn't patch at all because they were so afraid of what would happen they had no idea what would happen or how to fix it that they just didn't patch anything and this is a problem by the way that I see in organizations where you don't have full stack sis admin's or full stack developers if you don't understand the

system from top to bottom you're scared to death of changing anything because you don't know what's gonna happen to it all right and just just between the four of us and all of these people you want to name that organization No excellent so they're better now though it is now time to go to our survey style game so we asked InfoSec Twitter how do we react mistake number one back to what what we should do what's a reason why a system could not be patched and organization and InfoSec twitter told us that it's because these people don't care about security and that they're bad people so then argue yeah we screwed up on that one

so then we went and we actually talked to some practitioners and some security experts and we said what are some reasons why a system might not be passionate legitimate reason why we might expect a system with a vulnerability on it to not be patched now these aren't in any particular order they're not ranked but does anyone have idea what our survey said yet it's the vendors problem it's their fault going out of business end of life just no longer want to support a product that's out there because the market may have changed or they were purchased by somebody else who was a competitor survey says yes it's the vendors fault but not in a bad way

in a friendly way like it's no we don't hate vendors all right Wendy because they don't have the staff or of all nourishment system in other words they don't have resources that's do we see no resources we do no resources anyone else have an idea here so in a lot of organizations they're required to test patches extensively before deploying them that takes time and resources to win these point which that is time and resources away from completing other projects for other business units and so there could be a tremendous amount of pressure on folks that own those systems to not patch because they don't want to take resources away from other things show me need to test ding ding excellent

all right Kent what do you got up there network requirements such as IPS or internal firewalls that are blocking the ability to reach those devices to actually patch them let's show me blocked auto-update that's right if the device is configured to only have a relationship between the vendor and your device super convenient for everyone until you put it behind a firewall womp womp all right what else do we have up here guys for more on the board yes so the system could be supporting mission-critical or business critical information or services and there's little to no allowance for any sort of downtime show me do not unplug excellent Kent the cbss core hasn't reached a certain threshold

it's up there I know you're all surprised when the cancel cancel this is a very good panel they really have their finger on the pulse of things Wendy what do you have all right I've got for example if you work out with your provider that you only you do that oh you want five nines of uptime and all of a sudden you discover after the contract goes into effect that does doesn't allow them any time for patching up so my provider has been poned because show me stupid SLA is something that I wanted to think about if you're in that position all right I've got one more on the grid John what do you got how about equipment

is in the fields could be in remote locations so it could be very difficult to get to or patch the target is in the field or even worse the target isn't someone's chest and it's very hard to get access to it and we are going to the audience now and I just want to say does anyone have some other things that could go on this list that our experts didn't say I've got a question over here Asset Management's say one more saying several more words excellent I've got audio in the fourth row it doesn't receive patches that doesn't receive patches I had a friend who told me just the other day I just found our

mt4 farm I swear I wasn't trying to troll Josh I'm just going for the back row err yes yeah yes my system gives you false positives yeah excellent Josh that's true sometimes you've been given bad advice by the regulator and Josh just so I know does the FDA allow you to patch a medical device that's on a network so josh is saying for those who couldn't hear that the FDA will actually force a recall if you can't patch the device I've got another in the back thank you also in the back the patch will Britain sorry one more time the patch breaks other things it's true sewed I haven't tested it I just patched it in two broke

things was there one over here yes so the the patch introduces new vulnerabilities and I don't need to patch because you know what it was configured in such a way that I was not actually at real risk I've got time for one more yes change fries yes especially during retail season that never happens all right so speaking of things that never happen the we have some rumblings in Washington of actually trying to get some things done you like that Segway things that ever happened so there is a bunch of discussion around saying well Security's a big deal and one of the solutions is to require patching now here are some reasons that we've got up here but what

I'd like the panel to see is that we have any incidents about what are some concerns with mandating that patches need to happen or need to happen at a certain window or something like that what do we have John so most regulation or proposed laws tend to throw patching in as one of the requirements and failed to take into account particularly given everything that we've seen here how complex it can be and you can't just say you have to patch your systems there's an entire universe underneath of that that has economic consequences and policy consequences so regulators other policy makers they need to be educated around what that really means and not just throw it in because some expert

told them they should excellent anything else in the pack so building on on that any sort of system that has highly dependencies which is just about everything we have nowadays the more dependencies it has especially globally the longer it takes to plan and execute patching you talk about industrial control systems where that sort of software has to be tested against dozens of different countries where different regulations are in effect different standards different technologies and it can take as long as two years to plan out something like that oh okay you've got an answer your IT department is more afraid of your legal department than it is the attackers quite often you can find out find the vulnerability

management staff patching things just because the lawyers say Patchett win at a certain point that's our company policy do it and as such it may not be the right thing but it's getting done whether you like it or not you're solving for the business biggest most believable risk which is the lawyer or the auditor that's why a lot of people just show up in their legal lawyers office with a thousand-yard stare you haven't seen what I've seen there all right John I'll just add to that that those types of regulations can put either less mature or organizations that don't have the money or resources at a particular disadvantage because they're held to the same standard as everybody

else but they don't necessarily have the means to be able to do the patching excellent so we're at the halfway mark the scores are pretty close when are they the 723 yeah hey John a little behind at 217 and Kent you've got e to the I PI I don't know how you did that well done so we want to get into now so we've talked about some of the problems but are there any solutions so what are some options when just saying just patch is it an option Kent pray oh that's not what we're looking for Wendy hire good PR people no that's that's still not a very good security solution John blame Bob and or Alice that's true

they they've just been working a little harder Wendy what are you got segment your network for crying out loud yes don't have a flat Erica texture what else do we have rip and replace if it can't be patched sometimes you just got to take it out and get something new when it out swap it out oh it's the only way Kent put some other devices in front of the potentially vulnerable device or server farm or the like put a firewalls or IPS in place to capture and block excellent it's like that's something that we've thought about before Wendy now hear me out hear me out just just a little idea taking non-business critical but very

well understood business functions and green fielding them over to manage service providers who actually can patch when's the last time you patched email not very often unless you're still running your own server not that there's anything wrong with that there's totally something wrong with that but we don't judge a little but we judge from an informed place does anyone have further ideas about what's something we can do when you know just saying hey this Patchett isn't really an immediate direct option get it off showdown nice maybe don't connect things to the public Internet I like it yes yes you cannot prevent you must detect yeah actually anything else from the audience here all right well I really thought they'd have

more ideas on that one anyway as we wander into an IOT world how does that change how we think about patching is that the buzz for just winning the saying the word IOT when it didn't really need to be no less blockchain well the reality is we're sort of changing the nature of how we're looking at vulnerabilities now bonor abilities are actually something like damaged human life so when you're talking about public safety you're talking about human safety it is cranking it up another level another notch so you really have to think about how we deal with these kinds of situations now it matters all right that's a good answer for IOT anyone else have another interpretation when do

well patching is so completely different depending on the system there's such a wide variety patching shoes is different for patching light bulbs from patching things in chests that that there's no standardization there's no really good way to tell everybody to start doing this yes so I live and work in DC and I can tell you that one silver lining through all from all this complexity and concern is that policymakers it's making the challenge real to them self-driving cars are real they understand cars they understand thermostats they understand these things in their lives it's not just some equipment that their IT person is telling them about so the IOT in the introduction of IOT and the discussion

of that risk in complexity is making otherwise unaware policymakers aware of the real concern that we have here one more one more if you make it easy to patch especially for consumers to patch you also make it easy to attack a patching infrastructure is an RCE that only one person should be allowed to use theoretically yes yes so we need to keep that in mind now we've talked a lot about what organizations can do but we in the 'besides family talk about what the community can do how can we all work together so what are some of the projects that we as a community can help work on to think through how we can help

some of these organizations without just writing a check to small companies to say how can we make it easier for them to handle this risk sorry Kent would really like to spin this question it's ok do you have an answer to one of the questions I asked yes I do better asset management being able to really have an aspect of being able to discover what's on your network so you know you can patch it if you don't know it's there you can't do anything with it it will just sit there and be an entry into your organization excellent I think we need better pre-emptive playbooks I think we need to have a better sense of

what to do when patching is not viable for whatever reason it may be is some of the ones we discussed and I think when it isn't we need to be better as a community at helping policy makers and corporate leaders understand what the risk really is why it can't be patched and what the mid potential mitigations are all right that's a good one I think what the fundamental problem with patching is that a lot of things especially IOT things were built specifically to last they nobody who built them originally envisioned that they D would need to be patched and updated early and often all the time you've got you know continuous integration on one side with Netflix and

patching at the speed of light and you have equipment that was built to last for 10 20 30 50 years and so changing and reaching out to vendors and teaching them how to build patchable software is certainly something that we can and should do so they can start designing this in from the beginning excellent that's a great answer and I'm just going to add as is the game show host prerogative that transparency can really be an amazing tool here the software Bill of Materials idea where a vendor who actually ships with their software here's the list of all my third-party dependencies so that when a vulnerability is discovered an organization that's on top of things can

actually sort of identify how they might be at risk and work affirmatively for that approach we think that there's a lot of I just moving forward and a number of you have been doing this in the community for a while and it's something that at the technical level and at the policy level we're gonna be moving a lot strong we'll be moving forward with strongly at the US Department of Commerce so now we are almost at the end the scores are all tied up for each so it comes down to final Jeopardy yeah it's the it comes down to two final jeopardy because we don't really understand how game shows work so the panelists are

going to pretend to write something down while you guys all hum the jeopardy theme song ready Wendy would you lead us on all right we don't actually have to do that for the poll but I was told there was no sound in this room so the so what do we have what have you written down here all right so why don't what I pretended to write down is don't you hate it when somebody talks about something that they don't understand wait that's what I do for a living okay I'm just asking the rest don't you hate that well so do I so if you go around asking why companies can't just patch you are just displaying the fact that

you do not understand how complex a problem this actually is and you might want to rethink saying anything at all thank you Kent well regardless of what you heard patching is complex and it is hard but it's something that we have to do whether we like it or not we have to reduce the attack surface that is out there we can't just leave it unmatched yes it's not easy yes it's it's problematic in certain Beltway areas but we need to deal with it in an organizational basis oh that's no fun John what have you written up yeah so to me it's it's about making policymakers aware right I mean if you look at Congress here sometimes we get lucky we

find senators we find Congress people who get it and all of a sudden they start to make what seem like kind of rational decisions about cyber security including patching policy so I think it's on all of us in this community and other information security communities to do what we can to continue that education both within our organizations but also finding ways to help educate our policymakers not just here in the US but elsewhere I think we're gonna need to do that or else we're gonna end up with regulation and walls that will probably make things a lot worse before they get better and I don't think any of us want that fantastic and I know there are a number

of organizations here working on that such as EF fi in the cavalry yeah so we have two minutes so I'm going to say either a question or a very carefully timed 45 second statement not a question they want to offer as a closing part here Doug we need to project research all right we have time for one last comment yes well not just me I think we all can if we get involved in efforts like the first sig around CBS s I think that would be a really good thing to try to make this a useful standard as opposed to a standard all right on that note I'm going to ask you to help me

thank our panel of John Kent and Wendy I've been Alan the host the most and don't forget to spay or neuter your system in thank you