ClickCease

Patching Security Vulnerabilities

David Bressler

David Bressler

Security padlock and circle in network space.

There’s always a layer of details that make all the difference between easy and simple. BackBox improves network security by streamlining network software upgrades for patching security vulnerabilities to be both easy and simple.

First let me explain the difference between easy and simple using an example everyone in the US can understand.

Just File a Claim

The US healthcare system has a layer in-between ‘care providers’ and patients — the ‘payor’. When a patient (with insurance) uses a care provider a claim gets submitted to the payor, and the payor pays.

There are some complexities but let’s assume all claims are filed by the patient for the sake of simplicity (the example holds for the more complex case, but the complexity doesn’t add to the point I’m trying to make).

So, patient goes to doctor, pays, then files a claim and gets reimbursed. Easy. I’d agree it’s gotten easier, could be more so, but it’s definitely not simple.

Because if I’m a family, all of a sudden I’m managing claims for multiple people (in my case, four). There are different types of claims, each which impacts what I should get paid, and what payment limits I have to track for the year.

I also need to track, what I’ve paid, what claims are complete, and their status. Were they completed correctly, incorrectly, etc? And, based on all of that, I might make decisions about my care (and the care for my family).

So, anything but simple. But, each claim is easy to file.

Just Make the Fix, Wait for the Patch, Then Patch the Vulnerability

You see where I’m going with this.

If you’re even one layer removed from these patches, it can be hard to remember how complex they are, even when they’re easy to do.

Patching vulnerabilities is important and has a time-sensitive nature to it that is probably why at Ignite this week Palo Alto executives said one of the top things teams can do to improve security is automate.

Let’s walk through it for a minute.

A vendor announces a vulnerability, along with ‘mitigating configurations’ to take to protect the network until a patch is provided.

The ‘mitigating configurations’ are easy to apply… but you have 40 firewalls, from multiple vendors, in multiple locations and timezones, not all on the same version of device OS, and in support of different business applications (meaning the networks have a wide variety of SLAs from ‘yeah, just reboot it when you can’ all the way to ‘if you touch my device your firstborn child belongs to me’).

It’s obvious but worth stating, each device needs to be touched twice. Once to mitigate, second to patch.

In theory there are maintenance windows, and you’ll do a vulnerability assessment. If you’re vulnerable, that maintenance window might go, well, out the window.

Patching Security Vulnerabilities: Need to Automate

You want, no, you NEED TO AUTOMATE the steps taken to mitigate and then again to update SO THAT you can do the other stuff, the scheduling, the vulnerability assessment, the testing, in partnership with the rest of the org.

You also NEED TO AUTOMATE for speed and efficiency because there’s a lot of activity that happens in the steps I’ve mentioned above.

Want to make a device change? Backup first.

Then, do some pre-checks. HA pair? Maybe do pre-checks on both devices so you know you’re good to go.

Then, start on one. Make the changes and it’s time for post-checks. Did it work? Is it ready to take the failover? How about another backup so you have the new configuration backed up and validated? Didn’t work? BackBox’ one-click pre-validated restore takes all the worry out of restoring from backup.

So you backup, and the secondary device is now configured as you want it, with a pre- and post-backup, and you’ve validated that it’s working the way you want to accept failover.

Failover. Make sure it worked. Once confirmed the whole process from above on the second machine. And so on through all devices in the cluster until you’re satisfied.

Each of these individual steps are as hard as they are, but not insurmountably so. People are skilled. They’re good at solving the problems of figuring out to do these right. But equally, computers are much better than humans at doing repeatable tasks efficiently.

Remember, each of those steps will have to be done twice — once for the ‘configuration remediation’ and again for the ‘patch update’ with the permanent fix.

Security Vulnerability Patching with BackBox Automation

At this week’s Palo Alto Ignite conference we talked with hundreds of people who experience these sorts of issues regularly. They each have their own way of implementing patches, special situations, and individual concerns.

With BackBox our team of support experts helps customers create the necessary automations, which can then be modified to suit customers needs. Out of the box, for example, upgrades are available to HA clusters direct to Palo Alto devices or through Palo Alto Panorama. The same, of course, goes for other vendors. 180 other vendors to be specific.

The outcome you achieve with BackBox is:

You’ll have your network protected more quickly than doing it all manually, with less disruption, and you’ll have a team who can do this with less effort so they can be better partners to the people that depend on the network services and protection these devices provide.

It’s quick to get started too. So what’s keeping you?

 

Related content

vulnerability lifecycle
April 23, 2024

The Vulnerability Lifecycle

Read Now
April 11, 2024

Programmatic NCM and CI/CD

Read Now
April 10, 2024

What is Network Configuration Management?

Read Now

See for yourself how consistent and reliable your device backups and upgrades can be

Request a Demo
Contact Us