This week I came across two quotes that reinforced why keeping up with firmware patches is both critically important and massively difficult. At a virtual think tank webinar hosted by ReliaQuest, the CISO from Nielsen (Chris Hatter) commented that “The fundamentals of being good at cyber hygiene is the most neglected aspect of cybersecurity. If you’re not good at the very basics and making sure you understand the basics on your network—like patching and remote monitoring—you’re not set up for success”. In other words, inability to maintain device firmware is foundational in any cybersecurity program. On the CISO Series Headlines Show, host Steve Prentice in referring to the almost daily cadence of firmware updates being pushed to patch critical vulnerabilities said “makes you nostalgic for Patch Tuesday doesn’t it?”.
Let’s face it, many unmanaged and IoT devices are difficult to update firmware on and are typically running out-to-date firmware, which is why out of all devices used in the enterprise they present one of the largest attack surfaces. Recent studies have shown that new devices out of the box often are more than a year out of date (one study found “new” surveillance cameras that were 8 years behind in firmware updates). Yet according to cvedetails.org, unmanaged and IoT device vulnerabilities are growing at an exponential rate. We all know IoT firmware updates are critically important – so why are they not being done?
That’s where the massively difficult part comes in. Traditional IT tools for patch management simply don’t work for unmanaged and IoT devices. The devices themselves can’t run agents, they are often distributed across multiple locations and networks, and the update mechanisms are different for every manufacturer (and sometimes model). In addition, it’s usually not IT people responsible for firmware updates, it’s the OT (operational technology) teams that have varying degrees of experience in managing devices. In many organizations there are growing audit/compliance requirements requiring information from and about every device. Hard and getting harder.
Which brings us to the comparison of Sisyphus and Proteus. Sisyphus would valiantly try to keep pace with the deluge of firmware updates using manual methods, only to find that despite the massive effort put into it that the overall attack surface is back where it started – vulnerable. The hope of getting to the top of the hill (all devices with vulnerabilities remediated) is never realized. Like Sisyphus, many OT teams who stick to the “old way” will perpetually struggle and never achieve their goals.
In Greek mythology the opposite of Sisyphus is Proteus, who changed shape to avoid having to divulge the future. The word protean come from Proteus, meaning that goals are accomplished through versatility, adaptability, and flexibility. How would Proteus handle firmware updates? My guess is by adaptation and innovation – using a solution that was agentless, automated, scalable, and global. Moreover, Proteus would be far better prepared for “what comes next” from threat actors constantly at work to create new forms of attack – the security team would be a more efficient and nimbler one than a team bogged down with manual methods.
OT and IT security professionals have a choice of whether they want to be Sisyphus or Proteus. Ready to be Proteus? Come join the discussion on firmware updates at our upcoming webinar – register here.
