The protection dashboard allows you to analyze the protective status of your installed base, in respect to actually applied security patches. It contains five widgets:
- A scatter plot showing patch performance over time
- A line plot showing patch recency
- A combined line plot showing security patches installed over time, both as raw data and monthly totals
- A table displaying device details for devices selected in the patch performance graph
- A prioritized patch list with up to 10,000 entries.
Analyzing patch recency
OT security experts are aware that most OT installations are way out of patch, but few can say by how much. The patch recency widget in the protection dashboard allows you to answer exactly this question.
For better usability, we first click the plus sign to expand the widget to full screen size.
The patch recency widget features a reverse timeline that has the present day at the right end of the x axis and the oldest day that one or more systems saw their last patch at the left end. For clarity, there are marks and color codes for the last 365 days (white background), the last two years (yellow background), and everything beyond two years (light red background).
Note that y values are shown as percentages. When pointing to the blue line, which always starts at zero on the right and ends at 100 (percent) on the left, the widget shows you the exact percentage of devices that saw their last security patch within the given timeframe. In our example above, we learn that about half of the computers in our installed base saw their last security patch within the last 365 days. You may judge by yourself if this is sufficient or not.
The big picture also tells a story. In our example, we see a notable flattening of the curve beyond the last 365 days. Ideally, the curve would continue to rise steeply within the two year timeframe. Instead, it flattens out, and informs us that one or more devices have seen their last security patch over 14 years ago.
Patch performance and risk
We can obtain more detailed information by using the patch performance widget which holds much more data:
- time of the last security patch applied
- total number of security patches installed on a given device
- device criticality.
Also, the patch performance widget tells us the identity of systems for further exploration in OTbase Asset Center.
The timeline is similar to the patch recency widget. Again you see the last 365 days and the last two years highlighted by white and yellow background color, whereas everything older than two years is highlighted with a light red background color.
The y axis shows the total number of security vulnerabilities for a device, which obviously adds essential detail: If you have applied three security patches to a device last week and those are the only patches for that device, that device may be much more at risk than another device that was last patched six months ago but has a total of several hundred security patches.
In general, devices in the upper right quadrant of the graph show a better security posture than other devices. How many security patches are "enough" for a device, or a group of devices, cannot be answered using this widget; it requires deeper analysis.
The other thing that stands out in the patch performance graph is that some devices are exposed in red color (as opposed to blue) and by a larger marker size. This indicates critical devices, taking into account the criticality rating that a user applied to this device in OTbase Asset Center. It allows you to quickly spot critical devices that may not be protected sufficiently.
In the example above, we see a group of critical devices that was patched fairly recently, whereas one device (highlighted by a label which automatically pops up when pointing to the marker) wasn't patched since July 2013 -- not exactly what one would like to see for a critical device.
Getting more device detail
In order to find out more about the device, we select it using either the box select or the lasso select tool from the toolbar. For demonstration purposes, we select a couple more devices besides the critical device.
Selected devices now show up in the table below the patch performance widget. Besides device ID, hostname, location, description and criticality details, we also see the operating system version of devices. For our critical device, it's Windows XP -- not an ideal situation for a device that performs a function critical to security.
Just for verification and further analysis we could inspect this device in OTbase Asset Center by looking at the device profile. The easiest way to do this is to enter the device ID in the quick search field and hit Enter, which brings up the device profile.
After opening the "security" card in the device profile, we see all the details on security patches, and could further investigate how to appropriately secure this device.
OT installations are notoriously criticized for not having "enough" patches. In most cases, this is simply due to the fact that patching OT systems is much more labor intense and risky as IT systems. This leaves us with the interesting question: How many patches does a given organization actually manage to deploy within a certain period of time? This question can be answered easily using the patch capacity widget.
This graph shows the number of security patches installed over time, with the blue line showing individual patch sessions on specific dates, and the yellow line showing monthly totals. Hovering the mouse over the graph will pop up the numbers for a given point in time.
If both lines are cluttered, you may want to suppress one line by clicking on the legend in the lower right corner.
The graph tells you about average patch activity and consistency. In our example, 2016 seems to have been a good your for patching, with a patching frenzy in August (over 1200 patches). Such a pattern is not uncommon, especially for an organization who has decided to patch the bulk of their computers twice per year.
Unfortunately, things seem to detoriate in 2017 and following. The lasted peak occurs in July 2019 with just over 300 security patches. Just by face value, it would appear that the patching policy in this organization was changed to lower standards in 2017, or it simply was no longer followed rigidly.
Prioritized patch list
What exactly should you patch, given the fact that you will never have enough resources to patch everything? Well, OTbase can help you find meaningful answers for this super important question.
The prioritized patch list in the lower right section of the protection dashboard is a list of up to 10,000 prioritized patches that should be deployed. The ranking is based on the CVSS base score of a CVE and the criticality of devices. Experience has shown that using CVSS base score alone to priotize vulnerabilities is impractical, as there are just too many vulnerabilities in typical OT environments. Hence, patching all "critical" vulnerabilities, for example, often is not possible within a reasonable timeframe.
As an example, our sample database lists 35,249 critical vulnerabilities. At the same time we know that the affected organization had managed to patch less than 200 vulnerabilities per month for the last twelve months. With present patch capacity, it would take the organization around fifteen years to patch all critical vulnerabilities as of today, not counting any new critical vulnerabilities that are going to be discovered over the course of these years.
In a situation where it is clear that only a tiny fraction of critical vulnerabilities can be patched, it gets important to not waste precious patch capacity for non-critical systems. OTbase makes this process easy because it allows users to assess the criticality of a device (or groups of devices) in different categories, and on a scale. The details of how this should be done is explained elsewhere.
The important point is that the prioritized patch list factors device criticality in and therefore highlights vulnerabilities that reduce more risk than others with the same, or maybe even higher, CVSS score.
You can sort and filter the prioritized patch list. In order to apply filters, enter your filter term in the line below the column headers and note that filtering is case sensitive. In the example above, we filter the patch list to only show devices that are categorized as safety critical.
In order to reset any filters, delete the characters in the filter column(s) and hit Enter again.