Automated Patching Innovation: What Business Should Consider
The DEF CON 24 2016 event hosted the DARPA Cyber Grand Challenge which had seven automated security systems teams face off in a capture the flag type competition for the main prize of two million dollars.
The objective was to design programs that in an autonomous fashion detected vulnerabilities and self-patched to fight off system intrusions.
This technology is interesting in that it uses the intricacies related to today’s network environments to improve service security in several different ways. However, a key question is whether this technology is worthwhile as there are various unintentional negative impacts and dangers connected to patching done autonomously. And, while still a niche area, leaders of the industry should start considering how advancements in information security programs and connected systems could go awry in the future
It is true that many businesses could utilize some type of automated patching innovation. This would free up resources in many businesses as flaws in software would be acknowledged and patches would be launched automatically meaning future attacks on the system would be ineffective. The idea of automated patching technology is very appealing to both auditors and executives. However, patching in reality is a complicated process that encompasses several systems, people and processes that operate in tandem to ensure any updates released are released effectively to improve security and ensure there is stability in the future network environment.
Stability in the environment is the top priority of many security professionals as many have had first-hand experience of one bad patch taking down what was otherwise a completely stable system. Bad patches are typically seen as a worse outcome for the business than the initial security weakness that the patch was trying to fix for obvious reasons.The software quality of contemporary operating systems and applications is better than ever before, and by working through a software tester it is entirely possible to release patches in a semi-automated style. As a bare minimum, semi-automation should occur at the workstation level for third-party software applications from vendors such as Java and Adobe.
However, a key question is how can autonomous software and firmware updates be applied to servers, applications, databases and network infrastructure systems? Furthermore, the cost of patching via automated systems relative to the benefits have many experts questioning whether it is worthwhile. Possibly the advantages of automated patching do surpass the drawbacks, but it is necessary to point out that the DARPA Cyber Grand Challenge used a specific testbed of computer systems with customized software applications that had previously not been evaluated.
As DARPA is the first ever automated patching competition in information security, it is impressive that the systems built by competing teams took only 10 hours to find and patch vulnerabilities that would normally take several weeks or months to resolve. When considering complex legacy applications and enterprising software products however, it becomes unclear how effective autonomous patching systems will be. Each circumstance is unique; with the reality being, provided the minimal resources of business IT security groups and the proneness of people to make mistakes, security needs to be automated when possible.
It is in the current day that we should begin thinking about what processes in patching could or should be completed autonomously in the future. It is likely that by attempting to automate certain security functions now, we will be able to translate many of those systems and learnings into different areas which would greatly aid the development of future security efforts