Can you patch faster than a hacker can breach you?

By September 26, 2018 October 25th, 2018 Blog, Patching

Two days vs two months

It’s been a little more than a year since the world learned of the security breach at US-based credit reporting agency Equifax. Hackers had free reign within dozens of the company’s databases for months before being caught. It was months longer before the 145 million consumers in multiple countries learned that their personal information had been compromised.

The US Congress asked the Government Accountability Office (GAO) to study how Equifax and government agencies performed before and after the attack was discovered. It is a fascinating study of what appeared at the time to be a comedy of errors, but in hindsight looks to be more of a lesson in inevitability.

Equifax Breach

Source: GAO, based on information provided by Equifax. | GAO-18-559

The most startling fact that has emerged from the GAO report describes the Herculean task that all AppSec teams face:

Equifax has stated that, on March 10, 2017, unidentified individuals scanned the company’s systems to determine if the systems were susceptible to a specific vulnerability that the United States Computer Emergency Readiness Team had publicly identified just 2 days earlier. 

Two days.  Equifax was already under attack within 48 hours of the announcement of a flaw in the Struts 2 framework. By comparison, the average time to patch a known vulnerability is measured in months (if not years).

For organizations that rely exclusively on physically patching their web applications, the conclusion from this report is obvious: you can’t fix your code fast enough to stay ahead of professional or nation-state hackers. Your fingers on keyboards are no match for their automated scanners.

What does close the patching gap is virtual patching. Not pattern matching-based virtual shields or the so-called virtual patching of WAFs, but real virtual patching that fixes flaws in the compilation pipeline as the application runs. That is the fastest and most effective way to address known vulnerabilities without any downtime or source code changes.

Reading the GAO report makes it clear that someone was destined to become the poster child for failed/failing cybersecurity practices that have been SOP for decades. It just happened to be Equifax.

Learn how Waratek’s virtual patching solution stopped attackers from using a healthcare company for crypto-currency mining.

James Lee

Author James Lee

James Lee, Waratek Executive Vice President and Chief Marketing Officer. James is the former CMO at data pioneer ChoicePoint and an expert in data privacy and security, having served nine years on the Board of the San Diego-based Identity Theft Resource Center including three years as Chair. Lee has served as a leader of two ANSI efforts to address issues of data privacy and identity management. Lee is also a former global leader at International Paper Company (NYSE: IP).

More posts by James Lee