This week Microsoft announced a ‘lower than normal’ 87 vulnerabilities across 12 of its products. Listing twelve of them as critical, the update contains important updates for Exchange Server, Office, .NET framework and more.
Of significant importance, is a critical update which impacts Windows 10 and Windows Server 2019. CVE-2020-16898 highlights a bug in the TCP/IP stack which could allow malicious code to take over an unpatched system. In addition, CVE-2020-16947 impacts Microsoft Outlook, potentially allowing an attacker to fool a user into opening a file which could be used in a malware or ransomware attack.
In today's world, where millions of us are working from home, accessing business applications and data remotely, the need to keep our OS and applications patched and up to date becomes ever more critical. Not protected by our corporate firewalls, no longer sat inside our offices, remote working means our employees and the devices they use are arguably more vulnerable and require regular patching and updates to ensure security is maximized.
The threat in 2020
In 2016, we all experienced the danger associated with unpatched systems when Wannacry attacked millions of endpoints. Today in 2020, ransomware still plagues our daily lives, the organizations we work for and the services we use. There are reports that the UK NHS has experienced over 40K emails, all of which are regarded as spam and/or contain a form of a phishing attack in recent months; there were 21K malicious emails in March alone!
Only this week, the G7 has raised the alarm that ransomware is on the increase and poses a real threat to economies all over the world. Garmin, Travel Ex and Canon are familiar names which have all experienced recent attacks. Even those organizations trying to develop Covid vaccines have been hit. These threats, which can utilize vulnerabilities in our systems, require organizations to allocate an ongoing amount of time to patching.
So just patch it !!!????!!!!???
Several solutions in the market today offer detailed analysis tools and automated ways to deploy patches. Many of them simplify the process and remove the complexity of understanding which systems need which patch.
It should be that these solutions solve our patching woes, but sadly, especially in the world of Windows 10, patching alone is not enough and continues to highlight an opportunity cost that I believe, should be well behind us.
Firstly, Windows 10 is now an operating system that requires constant ‘love and attention.’ Windows as a Service or the six-monthly cadences of Windows means that not just patches need to be applied. The OS updates alone are large, and overtime loose official support. Compared to previous versions of Windows this change means endpoints need to be visible and managed more frequently than ever before. For the 20 percent of devices still on Windows 7 this adds to the complexity of the migration.
Secondly, the cost of patching remains high! I'm not talking about the price of a patching solution - in fact they are typically not that expensive - I am referring to the operational cost. With every patch deployed, comes risk. A risk that something will break. An application won't launch, an operating system or service that won't boot. Then you have the challenge of how you deploy that patch. Did it deploy? Did it reach every employee home network? How big was the patch? When did it deploy and to how many? How long does the patch process take? Is the endpoint capable of installing the patch? How much downtime will the employee experience? If something does break, can you rollback? The list goes on and on.
IT budgets will continue to grow; not to support our existing systems but to help drive our businesses. Digital Transformation requires IT to do more than ever before. People, technology and time, are precious.
Patching is no doubt an important task, but what is the opportunity cost of patching ? An just imagine what one could achieve if we didn't need to spend the time testing, deploying and worrying about what should be a simple task.
Patching is about IT operations, not security.
It was about two weeks ago over a socially distanced beer and pizza with David Shepherd, Global VP of Sales Engineering at Ivanti, that he reminded me that patching was less about security and more about IT Operations. Since then, I have sat on a number of internal business reviews and had the pleasure of hosting several customer panels for our Digital Disrupt events. Endpoint Security continues to come into every conversation, but when you dig a little deeper, you find that the challenge many face is not one of security but of the operational work involved.
Enter the world of modern management...
For those insistent on buying high cost, fast depreciating, expensive to support and difficult to update endpoints, solutions from Microsoft, VMware, Ivanti and others can certainly help patch and update endpoints, even those that sit within the home office.
Microsoft's Intune and work on Endpoint Manager demonstrates how PC lifecycle management tools are being combined with modern device management. Thanks to the acquisition of Airwatch and other technologies, VMware's market-leading solution Workspace One continues to extend the ability to manage more than just Windows devices remotely. And with the recent news that Ivanti is due to acquire MobileIron, coupled with their existing well-known Landesk solutions, the Unified Endpoint market can certainly help overcome many of the challenges discussed.
But it's not all about new tech - Remember VDI and the promise of DaaS
VDI has been used to help organizations deploy applications and desktops through the use of virtualization technologies from Citrix and VMware for over 20 years. Historically used for remote workers over low bandwidth connections or frequently deployed to help with business acquisitions and mergers, desktop virtualization has been a steady but stable technology choice for some organizations and use cases.
However, with the recent rise in Working From Home, the need to rapidly deploy and support desktops and applications to a remote workforce has become business-critical. VDI and DaaS have proven themselves during the pandemic for many organizations.
But this virtualized and centralized desktop platform doesn't just help with remote work, it significantly reduces IT operational cost required to patch and update Windows desktops. Hosting Windows in the datacenter means you no longer need to worry about the delivery of the patch, the size, its impact on the applications, the user or the actual endpoint. Everything is done once, centrally and in a controlled manner. When ready, it is simply activated, ready for the next employee to connect.
Customers who use VDI and DaaS don't spend hours worrying about patching. They utilize technologies like machine creation services and single image management to test and deploy once and yet at scale. They don't worry about the next Windows update, nor are they bothered whether an employee is in the office or working from home. Many of our customers will also tell you they don't worry about the endpoint – VDI and DaaS is that powerful as a solution.
In a world of VDI and DaaS - The employee still needs a device? Surely that still needs to be managed?
The answer is, of course, yes, but don't call me Shirley; people need an edge device, but in the world of VDI/DaaS, that edge device doesn't need to place a burden on IT operations. That device could be a Linux OS - easily managed, more secure and more cost-effective – which is what we supply.
For now though, when you read of the next ransomware attack or see the next patch update, take time to consider whether the attack utilized a known vulnerability, whether that vulnerability could have been patched and how much easier and operationally efficient it could have been if the employee was instead utilizing a virtualized desktop which would free your IT operations staff to focus on much more important work for your company.
Simon Townsend, chief marketing officer, IGEL