Jamf’s Dr Michael Covington gives his top tips for integrating Apple’s new rapid patching system into your cybersecurity and device management strategy.
The cyberthreat landscape is constantly evolving, with nearly 29,000 new common vulnerabilities and exposures (CVEs) reported this year alone. The clock is continually ticking for researchers, vendors and businesses to find and patch the weaknesses before threat actors can exploit them.
Apple has long enjoyed a reputation for being ‘more secure’ than other operating systems, partially because of platform features like the hardware-reinforced Secure Enclave, but also because of development practices and operating system design choices. However, security flaws still find their way into Apple’s operating systems, causing critical concerns for millions of users and organisations that have adopted one of Apple’s devices for critical work.
Given the growing need and demand for more timely security-related bug fixing, the tech giant opted to introduce a new patching system last year. Historically, Apple’s approach to software updates bundled security fixes with feature roll-outs in a somewhat predictable pattern. However, the Rapid Security Response (RSR) process allows security fixes to be released independently, without a more feature-rich software update.
So, what does this mean for organisations, and how can they best embrace the new approach?
The evolution of Apple’s software updates
While systematic, Apple’s traditional patching system often meant that urgent security patches were tethered to the rhythm of broader updates. But the digital threat landscape waits for no one.
The new separation of critical security updates from feature enhancements and new capabilities helps to ensure that security fixes are prioritised, not just in development and testing, but in delivery to users. Additionally, Apple’s update process now highlights the critical nature of rapid security responses, allowing users and organisations to install them with some urgency upon release.
As the name suggests, speed is the focus of the new strategy, but it should also lead to a more focused and precise approach to patching.
However, whilst Apple is changing how security patches are issued, it will still be up to individual users or organisations to apply them. Many firms are still falling short on this, and we’ve found that as many as one in every five devices are running on operating systems that are not up to date.
All enterprises using Apple products should ensure they have a solid patching process and that their approach is aligned with the RSR strategy.
Prioritising patches is critical
As with all other forms of security patching, applying updates is essential for users and businesses to realise the benefits of the RSR process. How this is achieved will look different for every organisation based on their mix of users, devices and applications, uptime tolerances for different users and overall risk tolerance.
Critical updates released through the new RSR method should ideally be implemented the day they are released. This will ensure the smallest window for potential attacks using critical vulnerabilities and active exploits.
Less urgent updates, particularly those released through the larger and more predictable releases, tend to be more flexible, though businesses should still strive to apply them within 30 days.
New software roll-outs sometimes come with bugs and support issues, along with changes to the interface and user workflows, so we recommend first applying updates to a small subset of devices and monitoring for problems. This will ensure the organisation doesn’t find itself hobbled by an issue that impacts its entire suite of Apple devices, and provides time for training and adjustments to new features.
Individuals using Apple devices as backups or as part of a personal productivity set-up are good candidates for this initial update roll-out. If there are any issues, it will be far less disruptive than customer-facing systems like retail POS units experiencing an outage or operational hiccup.
Despite the potential for disruptive bugs, it’s still strongly recommended that all critical RSR updates are made immediately. Any resulting glitches will pale in comparison to the damage of a serious cyberattack exploiting an active vulnerability.
Patching can be a significant administrative challenge, particularly for organisations with large fleets. However, there are tools that can help reduce the burden of assessing the criticality of patches, as well as applying updates across the entire fleet of applications and devices.
The shift resulting from the RSR provides a valuable opportunity for organisations to reexamine and realign their update strategies to a new, more dynamic beat powered by these tools.
How to craft a robust software update policy
A well-structured patching strategy can make a huge difference to security standing. It ensures that urgent updates are prioritised and turns patching into a controlled activity with a regular cadence, not an exercise in last-minute fire-fighting.
First, it’s important to establish a baseline for device configurations and an expectation for users to comply with the organisation’s established IT standard. This foundation is critical for ensuring uniformity across the organisation’s digital assets.
An inventory of all devices – spanning from company-owned to Bring-Your-Own-Device (BYOD) – is essential. This should include a record of critical business applications and the machines that access them, prioritising updates for those at the end of their support lifecycle where the number of exposed vulnerabilities may be significant. Understanding the ecosystem of technology is pivotal in crafting a policy that is both comprehensive and specific.
With this groundwork done, the roll-out phase should be methodical. As mentioned, start with a subset of devices and allow for a ‘soak period’ to monitor for issues if possible. This cautious progression ensures that when updates are pushed to production systems, they do not disrupt business operations.
After the roll-out, the policy must enforce conditional or adaptive access policies, ensuring that only devices with the latest critical patches can access sensitive applications and resources. This step, coupled with vigilant security log monitoring turns the software update policy into a dynamic shield against cyberthreats. Just one device with an unpatched critical vulnerability can lead to a serious security breach, so there cannot be any chinks in the armour.
Integrating device management for more effective patching
The final piece in the puzzle of a robust software update policy is the integration of management and security. Using a mobile device management (MDM) system to oversee the update process provides visibility into the adoption stages and facilitates communication with users about available updates.
This also makes it easier for security teams to engage in informed threat-hunting by combining management data with insights from threat prevention tools. This proactive stance enables firms to make the best of the immediacy of RSR updates.
Organisations should view Apple’s Rapid Security Response as a simple update and a strategic shift in cybersecurity management. Embracing a proactive, agile approach to software updates and integrating robust management will put businesses in control and greatly mitigate the threat of vulnerabilities.
Michael J Covington, PhD, is a seasoned technologist and the VP of Strategy for Jamf, a leader in Apple enterprise management. He previously held leadership roles at Intel Labs, Cisco Security and Juniper Networks.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.