Are slow patches from ERP vendors worth waiting for?
Mark Smith is the founder and CEO of Support Revolution.
Opinions expressed by EM360 contributors are their own.
In recent years, there have been small rebellions against the increasing pace of life. The slow food movement tells us that burger chains and pizza parlours may not be the best food out there, and it's worth a little wait to enjoy better-tasting cuisine.
ERP vendors, given the time it takes from the discovery of a vulnerability until it is fixed, seem to think in much the same way. The average time between the discovery of an exploit, the creation of a patch to fix this, and roll out of this patch to customers is thirty days, giving criminals ample opportunity to take advantage. It's often longer—for example, in 2016, an SAP authentication vulnerability was patched that had first been reported in 2012. Beyond a handful of emergency patches, Oracle rolls up all of its patches into a quarterly Critical Patch Update.
The time it takes to apply patches is not only down to vendor delays. There is also the time it takes an organisation to apply these patches. Oracle itself has tried to encourage its customers to improve this, adding to their patch notes that: “...Attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.” This isn't simple: One survey showed that over half of businesses needed more than their internal resources to implement regular patches, at an average cost of nearly $20,000 per patch. The cost and disruption means that an average of 100-120 days passes before a patch is applied.
Slow vendor patches, wherever the blame lies, only help those in the business of cybercrime, leaving critical systems open to attack. Enterprises need a better way to protect their IT estates.
What is a virtual patch?
Virtual patching, also known as vulnerability shielding, is a method of protecting software from attack, even if the right patches are not in place. One way to imagine virtual patching is if your home has vulnerabilities that a burglar could take advantage of, such as a key hidden underneath a doormat, or a window that is easily jimmied open. Those security weak spots won't matter so much if you live in a gated community with an armed guard on patrol, stopping burglars from getting anywhere near. That guard and those fences are virtual patches.
Vendor patches work by rewriting software code in order to remove the vulnerability, so any attempts to exploit it won't work. Virtual patching, however, does not touch the code and instead blocks the threats that will target these vulnerabilities. Using an up-to-date database of threats and vulnerabilities, rules are created that can be applied to an organisation's server, whether on-premise or in the cloud. All traffic, whether internal or external, will be analysed against these rules—if the traffic is designed to compromise the server, it will be blocked. In our analogy of the vulnerable house in a gated community, an upstairs window may have been left open, but the rules say no one with a ladder is allowed inside.
Virtual patching and legacy software
Oracle's advice with its critical updates is not only to apply patches without delay, but to remain on actively-supported versions—that is, they and other vendors do not release patches for older, unsupported software versions, and advise upgrading to the latest versions in order to stay secure.
But there are a number of reasons why a business may not want to upgrade its ERP software. A change of software comes with risk, cost, and disruption to a business—all things that any sensible business wants to avoid. For many businesses, the only advantage of upgrading is likely to be the patches issued by the vendor to stay secure. New features are not enough to tempt them.
ERP systems have been around for a long time - and are trusted and stable. However, this maturity means that they have not exactly been hotbeds of innovation for over a decade. Businesses may consider that the benefits of upgrading are simply not worth the cost.
Virtual patching gives organisations the opportunity to stay with stable software they know and trust, without the risk of cybercriminals taking advantage of unpatched vulnerabilities. Switching to a third-party support provider rather than official support from the vendor also means saving between 50% and 90% on support costs.
Why bother with vendor patches?
The regular installation of vendor patches is seen as best industry practice when it comes to keeping servers secure from attack. But with several months between the discovery of a vulnerability and the patch that fixes it, is it really worth keeping up-to-date with these patches?
Best practice, in this case, is hopelessly out-of-date. The speed at which hackers can scan for vulnerabilities and attack businesses means that a quarterly update schedule cannot hope to keep up. With virtual patching new rules can be added and policies constantly updated, keeping businesses far more secure.
When businesses aren't following best practice because they're finding it impossible, and would still be at risk even if they did, then it's time to change best practice. Businesses can't wait around for vendors to put out quarterly patches—virtual patching, far from being a stopgap while the “real” patch is created, is actually a superior solution that will keep businesses far safer.
Virtual patching is vital for those businesses that decide not to upgrade their ERP systems and have no other way to protect what is no longer supported by the vendor, but it should also be considered vital for all businesses looking to stay protected and save costs.