On average, it takes an organization 15 times longer to close a vulnerability than it does for attackers to weaponize and exploit one. Seven days to weaponize and 102 days to patch. Let that sink in.
Once a vulnerability is disclosed, it’s you against them in a race to either secure or exploit; and it turns out that our adversaries run a sprinter’s race to weaponization, while most of us are still running an operational endurance race when it comes to endpoint hardening and applying critical patches.
We’ve seen this play out in the real world time and time again, and these delays in patching have the ability to cause catastrophic issues. For example, Microsoft patched BlueKeep in the May 2019 Patch Tuesday security fixes, and as of December 2019 there were still over 700,000 machines at risk. Meanwhile a recent Sophos report [PDF] on WannaCry’s evolution suggests the patch against the main exploit used in those attacks has not been installed on countless machines – despite being released more than two years ago.
What is holding us back?
For one thing, the endpoint security revolution didn’t end with cloud-native endpoint detection and respond (EDR) and the reduction in dwell time. In fact, it has just begun. Clearly, time is the enemy, and declaring war on unacceptable dwell time was the first wave. So, while that is a very important security metric, the next battle starts with radically compressing exposure time. Enter Mean Time to Hardening (MTTH).
Mean Time to Hardening
Given that the average time to weaponization is seven days, with many weaponizations released inside of that window like the infamous Apache Struts vulnerability that took down Equifax, you effectively have 72 hours to harden your systems before you should expect to see new exploit techniques surface. When zero-days occur, the best-in-class response window is within 24 hours of disclosure. While this 24-hour threshold is ambitious, it’s the pace you’d need to move to realize a pre-incursion defensive effect.
Outside of this threshold, hardening becomes a reactive exercise with little to no pre-incursion value. To achieve a defensible outcome, organizations need to focus on the velocity in endpoint hardening. And that’s why the 24/72 MTTH threshold is the next benchmark organizations need to achieve, testing and rolling out mitigations in an accelerated, yet methodical manner.
Using MTTH to Accelerate Incident Response
Incident-response thresholds are not necessarily a new concept. CrowdStrike revolutionized the high-water mark for incident responders with the 1/10/60 rule based on observed adversary “breakout Ttme” – given that the most advanced nation-state threat actors move laterally or “break out” from an initial beachhead within two hours on average, that gives defenders one minute to detect, 10 minutes to understand and one hour to contain from the initial incursion point.
This framework is a goal of response we are all working towards in this day and age of larger attack surfaces and increasingly sophisticated threat actors, and organizations that can achieve the 1/10/60 velocity are much more likely to maintain a sustainable advantage over their attackers and stay out of mainstream media headlines.
But what happens before that moment of incursion and the 1/10/60 that follows it? What’s does the pre-detection playing field look like and where can we influence outcomes ahead of the incursion event horizon?
The 24/72 MTTH approach is built to support the 1/10/60 which informs the 24/72 in the reverse. 24/72 helps you make sure you’re hardening proactively at the speed your business needs and removing all the noise from your detection systems so you can run them more effectively, have more confidence in the alerts, and have your team focus on the sophisticated attacks that are far more critical. Meanwhile, 1/10/60 informs the prioritization of your hardening strategy because you’ll understand which threats need your attention first, based on the data you uncover in your EDR investigations.
With the two in place, an organization can prioritize critical action and remediation at scale, and patch vulnerabilities in a timely manner. When the weaponized actions are released, your EDR and, thus, your organization will be better prepared.
Successfully defending your organization largely boils down to a battle of speed with your adversaries, where minutes and even seconds make the difference between containing an incident or becoming the next international data breach headline.
By adopting the 24/72 rule of thumb in making patch updates, you can increase your operational efficiencies while establishing a best practice in patch management that can keep your endpoints better protected from malicious actors. This is an outcome metric that can be measured by executive and tactical teams to achieve a sustainable defensive advantage. Let’s turn down the volume on the EDR alerts with an aggressive tune.
Richard Melick is senior technical product manager at Automox.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.