It’s 2024 and if you didn’t know or realize it, your cybersecurity strategy cannot depend and rely purely on patching vulnerabilities.
Now clearly I’m not suggesting that you don’t need an active and efficient strategy for applying critical and even recommended patches. But if you think that you can rely on patching as a way to keep the criminals out of your network – you are mistaken, and need to enhance your cybersecurity strategy and overall posture.
Why? Consider this. Helpnet Security published an eye-opening report saying that 75% of new vulnerabilities are exploited within 19 days or less, but the average time to patch the vulnerabilities exceeds 100 days. Add to that the fact that the National Vulnerability Database (NVD) recorded a 17% year-over-year increase in vulnerabilities in 2023, and we have a real problem.
The answer is to simply apply patches a lot faster, right? Unfortunately this idea isn’t practical and won’t reliably yield success. Criminals literally maintain databases of organizations and their vendor stack so that when a new vulnerability becomes known, it can be exploited nearly instantaneously. Risk-based prioritization is an important part of identifying which patches need to be applied first, but ultimately a “security through patching” approach is a hope-based strategy – hope that the patch gets applied before it is exploited and the criminal breaks in.
Instead, patching and the overall cyber security strategy needs to be complemented with a resiliency approach, one that can identify the telltale signs of a breach, the so-called digital exhaust, so that the breach can be identified and the attack shut-down early in the kill chain and before damage ensues. In this way the permanent fix (the patch) is backstopped by the real-time alerting and visibility into exploitation of vulnerabilities (the resiliency). Assuming and recognizing that you cannot reliably patch every vulnerability before it gets exploited is the first step toward acknowledging that a resiliency-based approach, one which assumes that criminals will break in but nevertheless still identifies and stops their attacks, is the way of the future.
What’s perhaps even more surprising, however, is that resiliency-approaches can be deployed in a “business as usual” approach with little to no effort on behalf of IT. Protective DNS solutions are capable of watching every outbound DNS request, identifying good vs malicious communications, and blocking the malware attempting to “phone home” to its command-and-control; more to the point, they can be fully cloud-based, cloud-agnostic, deployed in literal minutes, and integrated into the rest of the security stack to improve overall efficacy, visibility, and security.
Compared with trying to dramatically improve the 100-day average for patching, the deployment of Protective DNS for cyber resiliency seems like an obvious approach. Maybe this is why the Canadian government issued a directive with goal number one being cyber resiliency. The same can be said for the US government, where the White House issued an Executive Order on cyber resiliency and CISA and the NSA recommended the implementation and usage of Protective DNS. And it’s not just in North America – various other governments are implementing their own resiliency solutions and recommending/requiring them across various industries. Across the globe cyber insurance carriers are now asking whether Protective DNS is deployed and implemented in their annual attestation questionnaires, and many predict that it will become a required component in the coming years.
The implementation of Protective DNS as an improved approach is even easier and faster than the implementation of a complete zero-trust model (and is, in fact, part of a zero-trust implementation and should be enabled in the very first phase of implementation).
Businesses often think they may be adequately covered with their EDR implementation, but that could not be farther from the truth. Similar to the continual announcement of new vulnerabilities that need to be patched, criminals invent and create a continual stream of tactics and approaches that effectively bypass endpoint detection. Like patching programs, EDR is of course still important, but it cannot be relied upon as an effective blockade. Everyone will at some point be successfully breached, but the deployment of Protective DNS can and will detect the very earliest signs – the digital exhaust of a breach manifesting itself as outbound communication to command-and-control infrastructure. Blocking these outbound communications effectively renders the attack inert, turning a successful breach into an unsuccessful attack and protecting the organization from data loss and financial damage.
Furthermore, many smaller organizations who utilize MSSP or MSP companies for their cyber security may assume that they are adequately covered because the MSSP/MSP is taking care of all patching and overall security concerns. However, not all MSSP/MSPs are created equal and each organization should be asking the question, “Is Protective DNS part of my security stack?” Not only that, but does the solution have a report from a reputable 3rd party testing house, such as AV-TEST with independently proven correctness and efficacy – having a Protective DNS solution that isn’t effective at actually detecting and stopping the anomalous communications is potentially worse than not having one at all; organizations should be asking the question and ensuring they are properly protected by modern and advanced security solutions.
Where are you on your path toward the implementation of cyber resiliency?