Emergency Patching with Spotlight and RTR

Introduction

This document and video will demonstrate how Falcon Spotlight provides a one-click solution to prioritized patching. 

Video

 

One-Click Patching

Patch deployment is often scheduled as part of a regular maintenance window. However, there may be occasions where patching can’t wait, such as a newly disclosed vulnerability with known exploits that, if left unpatched, would expose the organization to significant risk. 

With the Falcon platform, security practitioners now have the ability to identify critical vulnerabilities, and also address those vulnerabilities with one-off patch deployment. Spotlight users can now take advantage of a 1-click action to deploy Windows Update patches to specific hosts. 

One-click Patching

 

In the Falcon Console, on the Spotlight dashboard we can get a quick overview of vulnerabilities currently in our organization. Not only can we easily filter on the dashboard it also provides for easy visualization of vulnerabilities. There is also a section that provides top recommendation, the KB associated and the number of vulnerabilities this patch would cover. 

Spotlight dashboard - emergency patching

 

 

After selecting a specific host or recommended patch will provide additional details and access to the “Install Patch” button. Clicking the  ‘Install Patch’, the host’s local Windows Update service will attempt to download and install the patch. A success message indicates that the process has started, not that it has completed; depending on the size of the patch, this could take some time.

Install patch confirmation window

When the patching process is complete, there are two ways to confirm that the patch was successfully installed. The “Installed Patches” Falcon console link will take you to a page within Spotlight, where you can check to see if the patch was successfully installed on that host. Because it may take some time for the sensor to report a newly installed patch, clicking the “Connect to Host” button will allow us to use RTR to check the patch status quickly.

confirm patch install

 

In conjunction with the emergency patching feature, Real Time Response has also added the “Update” command which provides patching functionality via the RTR console. By typing “help update” we see the options available. To find out if my recent patch installation attempt was successful, I can use ‘update query’ to see if a patch was recently installed. 

Update help command

The output includes additional details such as the patch title and description. The ‘update history’ command can be used to view recent updates and their status. We could also use the ‘update query’ command in conjunction with a KB number to get more details about that specific KB. If we see that there are no longer updates available for that host, that would indicate that the patch installation was successful.  

 

Conclusion

When there’s a trending vulnerability that cannot be addressed quickly enough through the normal patch process, Spotlight’s “patch now” feature enables users to easily and surgically remediate vulnerabilities, reduce their attack surface, and proactively decrease chances of being breached due to unpatched vulnerabilities.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial