F5 Big-IP Virtual Edition: image patch and uploading How we patch critical Big...
F5 is an international company.There are over a dozen major offices and thousands of employees.As a technology company, we have a huge Internet-visible presence with over 33,000 production IT assets.When a huge new vulnerability is announced and followed by a zero-day exploit in the wild, it's a real challenge to manage.
Many compliance regimes require that vulnerable systems be patched within 30 days.In my opinion, a minimum bar is set by compliance.I think we should be compliant if we consistently practice good security and hygiene.
Some organizations are still learning.The first annual Application Protection Report was released by F5.Ponemon was commissioned to survey 3,135 IT security practitioners about their application security processes.How often they scans for vulnerabilities in their applications was one of the key processes.You can see in Figure 1 that the Frequency varied from week to week.
F5 devotes a lot of time to identifying and validation vulnerabilities.We use a variety of vulnerability scanning tools to give us an up-to-date picture of our risk footprint.We pay attention to user reporting, information we get from various threat intelligence sources, and warnings from critical vendors like Microsoft that give us more detailed information about known vulnerabilities and the potential implications they might have on our infrastructure.We can confirm vulnerabilities by using additional scanning tools, checking asset configurations against industry standards and best practices, interviewing stakeholders, attempting to reproduce behavior in a non-production environment, and checking log files for additional information.
The Common Vulnerability Scoring System (CVSS) is used to score vulnerabilities.For us, a CVSS score is just the beginning.We classify a vulnerability as high if it is still a root-level vulnerability with no exploit in the wild.We close them within 30 days.
If we see an exploit in the wild, we consider a vulnerability critical.The holes are closed within seven days.We try to patch as quickly as we can when other tools are available.We try to patch as quickly as possible.
Everyone needs to collaborate in patching.The information security team is involved in the process.IT Operations does the patching because they own the systems.Business Solutions Partners are heavily involved in the conversation as they determine the actual business risks and the timing of a patch.
If there is a valid case, we sometimes delay patching for medium- and low-risk items.Changes to financial systems can be made during the year-end close.The approval of a business line VP as well as myself is required.We have a structure to manage our process.
Risk level, patch count, and patch completion times and percentages are some of the metrics we track.The context of those metrics is more telling than the metrics themselves.Depending on the location of the server, having a hundred unpatched for a high vulnerability can mean different things.
patching is just one part of a full spectrum of vulnernability management tools.We use many tools to assist with inventory gathering, risk scoring, threat analysis, visualization, and asset tracking.There is a big picture of the risk of an unpatched vulnerability for a particular device.
Gathering this kind of data is a good place to start.You need to know the full extent of the problem.With that in hand, you can do ballpark estimates on the amount of work that needs to be done and have a better idea of what to report to upper management.
We include careful selection of approved applications to ensure they are hardened enough to resist known attacks and that they support our suite of security tools.We make sure our critical applications have appropriate network access control and availability protections.We always strive to patch as much as we can as quickly as possible, even with all these things in place.
The most exciting part of cyber security is patching.It is one of the most mundane.It is like brushing your teeth, a necessary component of good hygiene that will keep you out of trouble.
Mary is the Chief Information Security Officer.She is responsible for F5's corporate-wide information security management efforts, along with strategic planning, governance, and controls.In alignment with regulatory requirements and evolving industry best practices, this includes identifying, evaluating, and reporting on F5's overall security performance and posture.Mary was the CISO at Seattle Children's Hospital.She has held several security leadership positions.Mary holds a degree.From Trinity University.She is a member of the Executive Women's Forum.