When running workloads in Cloud environments, do organizations routinely and blindly upgrade their systems? While immutable infrastructure, blue/green deployments, and treating servers like cattle instead of pets is all the buzz, in reality, successfully executing these practices is trickier than expected.
1. Why Aren’t Organizations Updating Their Cloud
Infrastructure Regularly?: A Reality Check
by Sam Bisbee, CTO, Threat Stack
The System Upgrade Problem
2. 2
Truth: Systems aren’t being upgraded frequently enough
We ran the numbers.
Over a seven-day period, 13.86% of
environments on our system ran
incremental software upgrades.
That number should be 100%.
3. 3
A DEEPER LOOK AT THE NUMBERS
We dove into the numbers on our side to
find out how, when and with what
frequency people are actually updating
their systems.
Here’s what we learned.
Image source
4. 4
A DEEPER LOOK AT THE NUMBERS
If a server is terminated, it is likely after 1 month,
suggesting a regular infrastructure refresh rate.
Monthly refreshes aren’t terrible (certainly better
than classic enterprise IT)...
But it’s not great either (30 days is plenty of time
for an attacker to steal and corrupt loads of data.)
Average Age of Agents
5. 5
THE GOOD NEWS
So what exactly are we looking at?
These graphs show that if a server survives past its initial month that it’s it’s likely to survive for
many months, possibly forever. These workloads are being treated as pets, not cattle. Think
databases, load balancers and other critical path systems.
Those long living workloads are prime targets for bad actors, especially since so few
organizations are patching their systems.
6. 6
THE BAD NEWS
Our data shows that, though a certain
amount of instances are being churned
out, there is a large population of
critical or high-risk systems (pets) that
are not being patched.
They’re being left vulnerable for extended
periods of time. (Yikes.)
Image source
7. 7
OKAY, OKAY, ENOUGH FUD. HERE’S WHAT TO DO.
The numbers tell the scary story, but
we’re here to take the guesswork out of
keeping your systems safe.
Here’s what you need to
know.
Image source
8. 8
HOW OFTEN TO UPGRADE
At a minimum, you should apply security
patches from your vendor(s)
EVERY DAY
(Yes, even on weekends.)
How? Use Chef, Puppet or other
automation tools to make it easy.
9. 9
HOW TO PRIORITIZE VULNERABILITIES
Dwell time between public disclosure &
security patch can be unpredictable.
So you need to know which
vulnerabilities are highest priority.
CVE (Common Vulnerabilities &
Exposures) Ratings are a good place to
start.
cve.mitre.org
10. 10
BUT DON’T RELY ON CVE RATINGS ALONE
They are a good initial indicator, but you
need more context to appropriately
prioritize.
Here’s an example:
You probably want to patch the medium severity
iptables issue on your Internet-facing instances
(hello public) before you worry about high
severity local privilege escalation on your
graphite metrics box (fairly protected.)
Image source
11. 11
LISTEN TO YOUR MOTHER (OR ME)
Some tough love (about cloud security):
1. Stop procrastinating
2. Practice good hygiene
There are so many tools out there today
to make it easy on you. No excuses.
Image source
12. 12
READ MORE
Check out the full blog post I wrote about
these numbers and what they mean:
It All Started With a Wager About System
Upgrades
(Spoiler alert: I lost that wager.)
Image source
13. Tell us what you think on Twitter:
@threatstack
@sbisbee
THANKS FOR READING
13
Notes de l'éditeur
Fast Growing companies are increasingly relying on Modern Day Infrastructure (Public, Private, Hybrid Cloud) to fuel business scale
However, many businesses find themselves scaling with limited visibility as to what is happening from a security perspective inside their cloud infrastructure, and in particular inside their workloads/VM’s where applications are running and data resides.
The debate continues as to whether migration to the Public Cloud is more or less secure than traditional enterprise data center approach, but one fact remains clear. Adoption of public cloud is here today and is here to stay. You don’t need to look any further than projected spend in public cloud to realize it is the present & future reality
So the only real question is Scale Blind or Scale with Confidence???
Threat Stack continues to push the evolution of cloud security.
We’ve listened to the market: What they’ve told us is that traditional security is too expensive, overly complex, requires way too much hands on attention to configure, integrate, deploy and manage… and if you do get it to work the data doesn’t tell you the whole story or provide you with actionable insights.... So we got to work to come up with a better, more modern solution that would address and solve these issues.
We determined that a modern approach to security would require: An inversion of traditional security. This means starting at the workload, the center of the cloud security universe and the single source of truth, and working inside-out, building on additional layers of context to provide a complete picture of what’s happening in your cloud. We then fully integrated all the services and data streams on to a single cloud-native platform, that can be easily deployed across any enviornment, and is a snap to manage and use. Furthermore we’ve made the solution friendly with your favorite DevOps tools to streamline your existing workflows... The end result...