Listen to post: Getting your Trinity Audio player ready...

Enterprises in the private sector look to the US federal government for cybersecurity best practices. The US CISA (Cybersecurity & Infrastructure Security Agency) issues orders and directives to patch existing products or avoid use of others. The US NIST (National Institute of Standards and Technology) publishes important documents providing detailed guidance on various security topics such as its Cybersecurity Framework (CSF).

CISA and NIST, like their peer government agencies in the world, have dedicated teams of experts tasked with quantifying the risks of obsolete security solutions and discovered vulnerabilities, and the urgency of safeguarding against their exploitation. Such agencies do not exist in the private sector. If you are not a well-funded organization with an established team of cyber experts, following the government’s guidance is both logical and effective.

What you should do vs what you can do

Being aware of government agencies guidance on cyber security is extremely important. Awareness, however, is just one part of the challenge. The second part, usually the much bigger part, is following their guidance. Instructions, also referred to as ‘orders’ or ‘directives,’ to update operating systems and patch hardware products arise on a weekly basis, and most enterprises, both public and private, struggle to keep up.

Operating systems like Windows and macOS have come a long way in making software updates automatic and simple to deploy. Many enterprises have their computers centrally managed and can roll out a critical software update in a matter of hours or days.

Hardware appliances, on the other hand, are not so simple to patch. They often serve as critical infrastructure so IT must be careful about disrupting their operation, often delaying until a weekend or holiday. Appliances such as routers, firewalls, secure web gateways (SWG) and intrusion prevention systems (IPS) have well-earned reputations of being extremely ‘sensitive’ to updates. Historically, they do not continue to operate the same after a patch or fix, leading to lengthy and frustrating troubleshooting, loss of productivity and heightened risk of attack. The challenge in rapidly patching appliances is known to governments as it is known to cyber attackers. Those appliances, often (mis)trusted as the enterprise perimeter security, are effectively the easy and preferred way for attackers to enter an enterprise.

Cato Networks SASE Threat Research Report H2/2022 | Get the Report

The CISA KEV Catalog – Focus on what’s important

Prioritization has become a necessity as  most enterprises can’t really spend their resources in continuous patching cycles. The US CISA’s Known Exploited Vulnerability (KEV) catalog which mandates the most critical patches for government organizations, helps enterprises in the private sector know where to focus their efforts.

The KEV catalog also exposes some important insights worth paying attention to. Cloud-native security vendors such as Imperva Incapsula, Okta, Cloudflare, Cato Networks and Zscaler don’t have a single record in the database. This is because their solution architecture allows them to patch and fix vulnerabilities in their ongoing service, so enterprises are always secured.

Hardware vendors, on the other hand, show a different picture. As of September of 2023, Cisco has 65 records, VMware has 22 records, Fortinet has 11 records, and Palo Alto Networks has 4 records.

Cyber risk analysis and the inevitable conclusion

CISA’s KEV is just the tip of the iceberg. Going into the full CVE (Common Vulnerabilities and Exposures) database shows a much more concerning picture.

FortiOS, the operating system used across all of Fortinet’s NGFWs has over 130 vulnerabilities associated with it, 31 of which disclosed in 2022, and 14 in the first 9 months of 2023. PAN-OS, the operating system in Palo Alto Networks’ NGFWs has over 150 vulnerabilities listed. Cisco ASA, by the way, is nearing 400. For comparison, Okta, Zscaler and Netskope are all in the single-digit range, and as cloud services, are able to address any CVE in near-zero time, and without any dependency on end customers.

Since most enterprises lack the teams and expertise to assess the risk of so many vulnerabilities and the resources to continuously patch them, they are forced by reality to leave their enterprises exposed to cyber-attacks.

The risk of trusting in appliance-based security vs. cloud-based security is clear and unquestionable. It is clear when you look at CISA’s KEV and even clearer when you look at the entire CVE database.

All of this leads to the inevitable conclusion that at some point, perhaps not too far ahead in the future, government agencies such as the US NIST and CISA will recommend against or even ban appliance-based security solutions.

Some practical advice

If you think the above is a stretch, just take a look at Fortinet’s own analysis of a recent vulnerability, explicitly stating it is targeted at governments and critical infrastructure: https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign.

Security appliances have been around for decades, and yet, the dream of a seamless, frictionless, automatic and risk-free patching for these products never came true. It can only be achieved with a cloud-native security solution.

If your current security infrastructure is under contract and appliance-based, start planning how you are going to migrate from it to a cloud-native security at the coming refresh cycle.

If you are refreshing now or about to soon, thoroughly consider the ever-increasing risk in appliances.