Why Aren’t Organizations Updating Their Cloud Infrastructure Regularly?: A Reality Check

by Sam Bisbee, CTO, Threat Stack

The System Upgrade Problem

2

Truth: Systems aren’t being upgraded frequently enough

We ran the numbers.

Over a seven-day period, 13.86% of environments on our system ran incremental software upgrades.

That number should be 100%.

3

A DEEPER LOOK AT THE NUMBERS

We dove into the numbers on our side to find out how, when and with what frequency people are actually updating their systems.

Here’s what we learned.

Image source

4

A DEEPER LOOK AT THE NUMBERS

If a server is terminated, it is likely after 1 month, suggesting a regular infrastructure refresh rate.

Monthly refreshes aren’t terrible (certainly better than classic enterprise IT)...

But it’s not great either (30 days is plenty of time for an attacker to steal and corrupt loads of data.)

Average Age of Agents

5

THE GOOD NEWS

So what exactly are we looking at?

These graphs show that if a server survives past its initial month that it’s it’s likely to survive for many months, possibly forever. These workloads are being treated as pets, not cattle. Think databases, load balancers and other critical path systems.

Those long living workloads are prime targets for bad actors, especially since so few organizations are patching their systems.

6

THE BAD NEWS

Our data shows that, though a certainamount of instances are being churned out, there is a large population of critical or high-risk systems (pets) that are not being patched.

They’re being left vulnerable for extended periods of time. (Yikes.)

Image source

7

OKAY, OKAY, ENOUGH FUD. HERE’S WHAT TO DO.

The numbers tell the scary story, but we’re here to take the guesswork out of keeping your systems safe.

Here’s what you need to know.

Image source

8

HOW OFTEN TO UPGRADE

At a minimum, you should apply security patches from your vendor(s)

EVERY DAY(Yes, even on weekends.)

How? Use Chef, Puppet or other automation tools to make it easy.

9

HOW TO PRIORITIZE VULNERABILITIES

Dwell time between public disclosure & security patch can be unpredictable.

So you need to know which vulnerabilities are highest priority.

CVE (Common Vulnerabilities & Exposures) Ratings are a good place to start.

cve.mitre.org

10

BUT DON’T RELY ON CVE RATINGS ALONE

They are a good initial indicator, but you need more context to appropriately prioritize.

Here’s an example:You probably want to patch the medium severity iptables issue on your Internet-facing instances (hello public) before you worry about high severity local privilege escalation on your graphite metrics box (fairly protected.) Image source

11

LISTEN TO YOUR MOTHER (OR ME)

Some tough love (about cloud security):

1. Stop procrastinating

2. Practice good hygiene

There are so many tools out there today to make it easy on you. No excuses.

Image source

12

READ MORE

Check out the full blog post I wrote about these numbers and what they mean:

It All Started With a Wager About System Upgrades

(Spoiler alert: I lost that wager.)

Image source

Tell us what you think on Twitter:

@threatstack

@sbisbee

THANKS FOR READING

13