Organizations are not updating their cloud infrastructure regularly, with only 13.86% of environments undergoing incremental software upgrades within a week. Many critical systems, treated as long-lived 'pets', are left unpatched, exposing them to security risks. To enhance security, it is recommended to apply vendor security patches daily and prioritize vulnerabilities based on context beyond just CVE ratings.

1. Why Aren’t Organizations Updating Their Cloud
Infrastructure Regularly?: A Reality Check
by Sam Bisbee, CTO, Threat Stack
The System Upgrade Problem

2. 2
Truth: Systems aren’t being upgraded frequently enough
We ran the numbers.
Over a seven-day period, 13.86% of
environments on our system ran
incremental software upgrades.
That number should be 100%.

3. 3
A DEEPER LOOK AT THE NUMBERS
We dove into the numbers on our side to
find out how, when and with what
frequency people are actually updating
their systems.
Here’s what we learned.
Image source

4. 4
A DEEPER LOOK AT THE NUMBERS
If a server is terminated, it is likely after 1 month,
suggesting a regular infrastructure refresh rate.
Monthly refreshes aren’t terrible (certainly better
than classic enterprise IT)...
But it’s not great either (30 days is plenty of time
for an attacker to steal and corrupt loads of data.)
Average Age of Agents

5. 5
THE GOOD NEWS
So what exactly are we looking at?
These graphs show that if a server survives past its initial month that it’s it’s likely to survive for
many months, possibly forever. These workloads are being treated as pets, not cattle. Think
databases, load balancers and other critical path systems.
Those long living workloads are prime targets for bad actors, especially since so few
organizations are patching their systems.

6. 6
THE BAD NEWS
Our data shows that, though a certain
amount of instances are being churned
out, there is a large population of
critical or high-risk systems (pets) that
are not being patched.
They’re being left vulnerable for extended
periods of time. (Yikes.)
Image source

7. 7
OKAY, OKAY, ENOUGH FUD. HERE’S WHAT TO DO.
The numbers tell the scary story, but
we’re here to take the guesswork out of
keeping your systems safe.
Here’s what you need to
know.
Image source

8. 8
HOW OFTEN TO UPGRADE
At a minimum, you should apply security
patches from your vendor(s)
EVERY DAY
(Yes, even on weekends.)
How? Use Chef, Puppet or other
automation tools to make it easy.

9. 9
HOW TO PRIORITIZE VULNERABILITIES
Dwell time between public disclosure &
security patch can be unpredictable.
So you need to know which
vulnerabilities are highest priority.
CVE (Common Vulnerabilities &
Exposures) Ratings are a good place to
start.
cve.mitre.org

10. 10
BUT DON’T RELY ON CVE RATINGS ALONE
They are a good initial indicator, but you
need more context to appropriately
prioritize.
Here’s an example:
You probably want to patch the medium severity
iptables issue on your Internet-facing instances
(hello public) before you worry about high
severity local privilege escalation on your
graphite metrics box (fairly protected.)
Image source

11. 11
LISTEN TO YOUR MOTHER (OR ME)
Some tough love (about cloud security):
1. Stop procrastinating
2. Practice good hygiene
There are so many tools out there today
to make it easy on you. No excuses.
Image source

12. 12
READ MORE
Check out the full blog post I wrote about
these numbers and what they mean:
It All Started With a Wager About System
Upgrades
(Spoiler alert: I lost that wager.)
Image source

13. Tell us what you think on Twitter:
@threatstack
@sbisbee
THANKS FOR READING
13