Navigating the labyrinth of patching unmanaged applications in a corporate environment can feel like an uphill battle, with new vulnerabilities lurking around every corner. As organizations scale and strict controls for corporate endpoints are still being established, it becomes increasingly difficult to restrict the software employees install. How can we efficiently manage this flood of vulnerabilities when it’s impractical to centrally patch every single application?
In this blog post, we'll explore how the Axonius security and IT team leverages our Cybersecurity Asset Management platform coupled with its Enforcement Center's "Send Email to Assets" action, to encourage users to patch unmanaged software. This approach transformed the company’s employees into powerful allies in strengthening corporate security posture.
In the early days of Axonius, we had the luxury of manual, “brute force” deployments to the laptops used by our employees. Rolling out a password manager, SSO, or MFA? Messaging and offering individual assistance to every employee ensured timely completion. However, as the company grew, so did the need to make widespread announcements for tasks requiring end-user attention. Even after implementing Mobile Device Management (MDM) to centralize corporate device management, we faced limitations in full automation without user interaction.
As a CAASM solution, the Axonius Cybersecurity Asset Management platform provides comprehensive visibility into our assets, from devices and users to software and vulnerabilities. Our approach in using this platform allowed us to address vulnerabilities even in applications that users install without corporate oversight.
Our centrally managed browser of choice is Google Chrome, which has built-in updater controls resulting in rapid adoption of updates. We also implemented automated patching with forced reboots for both Windows and macOS, handling Safari and Edge patching respectively.
Axonius Dashboard Chart of Chrome installations with critical or high vulnerabilities over time, demonstrating rapid patching via the built-in Chrome updater and a relatively stable number of unpatched installations after each cycle (axes redacted).
Upon examining other browsers used by employees besides Safari, Edge, and Chrome, we identified a significant number of Firefox users, some of whom were slow to install updates. This included patches for critical vulnerabilities highlighted by CISA's Known Exploited Vulnerabilities Catalog. As the number of Firefox users grew, so did the number of consistently unpatched installations. Given the critical role that web browsers play in employees' activities and the company's security, we decided to start by reviewing our approach to patching Firefox, which didn’t have centralized patching at the time.
Axonius Dashboard Chart of Firefox installations with critical or high vulnerabilities over time, demonstrating growth in unpatched installations with users responsible for patching and no external reminders (axes redacted).
Initially, we relied on manually sending wider announcements and targeted notifications to affected users when critical vulnerabilities in unmanaged software would pop up, but as the company expanded, these methods became unsustainable.
The Axonius Enforcement Center module offers various actions to help bridge the gap between identifying and fixing vulnerabilities. While direct tie-ins to tools (like MDM) can handle patching, we turned to the "Send Email to Assets" action for cases that led to a faster reduction in risk in the interim before IT had the bandwidth to build a new application into our formal patch management program. When this action is configured, the solution sends a message to the email address that is associated with each device identified by a Devices Query.
Screenshot of the Axonius Enforcement Center depicting the described Email Users with Open Firefox Vulnerabilities Enforcement Action configuration.
Given the high internal engagement at Axonius for security-specific action items, we experimented with sending targeted email notifications to users with devices harboring critical or high severity Firefox vulnerabilities. We opted to send these emails every five days, striking a balance between urgency and minimizing disruption.
The results were dramatic. Not only did the user-driven patch rate soar from approximately 40% to 75%, but the patching speed increased as well. Even better, these metric improvements have been consistently maintained for months since implementing this change!
Axonius Dashboard Chart of Firefox installations with critical or high vulnerabilities over two monthly cycles, demonstrating the impact of Axonius-driven user reminders to install patches during the second cycle (axes redacted).
While we continue to employ automated controls whenever practical (including building deployment/patching strategies with tools like MDM), this approach serves as an effective mechanism to distribute security responsibilities for approved, user-specific software for those who want to use it.
In the world of cybersecurity, it’s easy to assume that only complex and intricate solutions can lead to meaningful results. However, as our case study demonstrates, sometimes embracing simple strategies can yield surprisingly powerful and lasting impacts.
By leveraging Axonius Cybersecurity Asset Management solution and its Enforcement Center's “Send Email to Assets” feature, we transformed users into security champions, taking ownership of their role in keeping their corporate assets in a secure state. This straightforward approach of periodic email reminders has not only led to a more secure environment but also helped solidify our culture of security awareness and distributed responsibility.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010
.png "Dan Trauner blog quote")
