Navigating the labyrinth of patching unmanaged applications in a corporate environment can feel like an uphill battle, with new vulnerabilities lurking around every corner. As organizations scale and strict controls for corporate endpoints are still being established, it becomes increasingly difficult to restrict the software employees install. How can we efficiently manage this flood of vulnerabilities when it’s impractical to centrally patch every single application?
In this blog post, we'll explore how the Axonius security and IT team leverages our Cybersecurity Asset Management solution coupled with its Enforcement Center's "Send Email to Assets" action, to encourage users to patch unmanaged software. This approach transformed the company’s employees into powerful allies in strengthening corporate security posture.
Background: scaling security efforts
In the early days of Axonius, we had the luxury of manual, “brute force” deployments to the laptops used by our employees. Rolling out a password manager, SSO, or MFA? Messaging and offering individual assistance to every employee ensured timely completion. However, as the company grew, so did the need to make widespread announcements for tasks requiring end-user attention. Even after implementing Mobile Device Management (MDM) to centralize corporate device management, we faced limitations in full automation without user interaction.
As a CAASM solution, the Axonius Cybersecurity Asset Management solution provides comprehensive visibility into our assets, from devices and users to software and vulnerabilities. Our approach in using this solution allowed us to address vulnerabilities even in applications that users install without corporate oversight.
Patching unmanaged browsers: the Firefox challenge
Our centrally managed browser of choice is Google Chrome, which has built-in updater controls resulting in rapid adoption of updates. We also implemented automated patching with forced reboots for both Windows and macOS, handling Safari and Edge patching respectively.
Axonius Dashboard Chart of Chrome installations with critical or high vulnerabilities over time, demonstrating rapid patching via the built-in Chrome updater and a relatively stable number of unpatched installations after each cycle (axes redacted).
Upon examining other browsers used by employees besides Safari, Edge, and Chrome, we identified a significant number of Firefox users, some of whom were slow to install updates. This included patches for critical vulnerabilities highlighted by CISA's Known Exploited Vulnerabilities Catalog. As the number of Firefox users grew, so did the number of consistently unpatched installations. Given the critical role that web browsers play in employees' activities and the company's security, we decided to start by reviewing our approach to patching Firefox, which didn’t have centralized patching at the time.
Axonius Dashboard Chart of Firefox installations with critical or high vulnerabilities over time, demonstrating growth in unpatched installations with users responsible for patching and no external reminders (axes redacted).
Initially, we relied on manually sending wider announcements and targeted notifications to affected users when critical vulnerabilities in unmanaged software would pop up, but as the company expanded, these methods became unsustainable.
The Axonius Enforcement Center: automated and targeted employee outreach
The Axonius Enforcement Center module offers various actions to help bridge the gap between identifying and fixing vulnerabilities. While direct tie-ins to tools (like MDM) can handle patching, we turned to the "Send Email to Assets" action for cases that led to a faster reduction in risk in the interim before IT had the bandwidth to build a new application into our formal patch management program. When this action is configured, the solution sends a message to the email address that is associated with each device identified by a Devices Query.
Screenshot of the Axonius Enforcement Center depicting the described Email Users with Open Firefox Vulnerabilities Enforcement Action configuration.
Given the high internal engagement at Axonius for security-specific action items, we experimented with sending targeted email notifications to users with devices harboring critical or high severity Firefox vulnerabilities. We opted to send these emails every five days, striking a balance between urgency and minimizing disruption.
The results were dramatic. Not only did the user-driven patch rate soar from approximately 40% to 75%, but the patching speed increased as well. Even better, these metric improvements have been consistently maintained for months since implementing this change!
Axonius Dashboard Chart of Firefox installations with critical or high vulnerabilities over two monthly cycles, demonstrating the impact of Axonius-driven user reminders to install patches during the second cycle (axes redacted).
While we continue to employ automated controls whenever practical (including building deployment/patching strategies with tools like MDM), this approach serves as an effective mechanism to distribute security responsibilities for approved, user-specific software for those who want to use it.
Conclusion: empowering users for a secure future
In the world of cybersecurity, it’s easy to assume that only complex and intricate solutions can lead to meaningful results. However, as our case study demonstrates, sometimes embracing simple strategies can yield surprisingly powerful and lasting impacts.
By leveraging Axonius Cybersecurity Asset Management solution and its Enforcement Center's “Send Email to Assets” feature, we transformed users into security champions, taking ownership of their role in keeping their corporate assets in a secure state. This straightforward approach of periodic email reminders has not only led to a more secure environment but also helped solidify our culture of security awareness and distributed responsibility.