Securing confidential research data through TuxCare live patching

The University of Zagreb’s Croatian Academic and Research Network (CARNet) faced a significant threat: like other educational institutions, its networks were under constant attack from cybercriminals. But the one obvious route to secure operations – regular patching – was difficult to perform consistently.

In this case study we examine how Mirsad Todorovac, CARNet system engineer at the University of Zagreb, discovered KernelCare Enterprise and how the product – a TuxCare service – helped the university to battle mounting cyber threats.

Universities as targets

Universities are major targets for malevolent actors who range from common criminals to determined state agencies. There are a mix of reasons for this. Yes, just like any other organization, universities hold valuable personal data that can be abused for criminal enterprise.

However, as research institutions, universities commonly handle non-public research information, and access to this information can be highly consequential. Depending on the institution, it could be anything from closely kept industry secrets around new products, to classified military research. Cybercriminals want access to this data for its economic value – and sometimes just for pure espionage.

So cybersecurity really matters for universities and these important institutions face just the same problems in implementing cybersecurity measures as commercial organizations. There are a few unique challenges too: for example, university IT systems are often very distributed and less centralized than a typical corporate IT system which makes coordinating cybersecurity policies much more difficult.

And that brings us to Mirsad and his team at CARNet, who knew that the University of Zagreb faced significant legal, reputational, economic, and operational risks from cybercrime. A successful attack could lead to loss of future student fees, and would deter future research partners and funding.

Patching: easier said than done

You can secure technology assets through many routes – firewalls, advanced threat protection, and so forth. And yes, a combination of routes is essential to achieve threat protection. Nonetheless, one of the most effective ways to give security a significant boost is through patching.

But in practice, applying patches to live workloads just isn’t easy. Patching proved a challenge for the team at CARNet too, because the team found patching to be disruptive and time-consuming. Few organizations get patching right consistently.

One of the biggest challenges is resources. As the systems engineer at CARNet, Mirsad was responsible for the administration of multiple servers in two organizations, and that number seemed to grow rapidly.

Mirsad says that: “The kernel patches needed to fix vulnerabilities were a burden to the system administration staff, in part because it brought unwanted downtime.” Pointing to a common problem, the team leader said that reboots to install a patched version of the kernel were at times postponed for an unacceptably long time.

The delays to patching “increased the window of opportunity for the bad guys to deploy their schemes”, according to Mirsad.

Looking for a patching solution

Patching vulnerabilities as soon as possible is best practice and it’s arguably one of the best things you can do to protect infrastructure from security breaches.

But as Mirsad explains, vulnerability patching is frequently delayed because of a lack of resources and difficulty finding agreement on how to do it – alongside trying to find the time to take critical assets offline. That was exactly what the team at the University of Zagreb was experiencing.

To protect the infrastructure of the University of Zagreb’s Mirsad started looking for a Linux kernel patching automation tool. This journey first took him to Ubuntu’s kernel livepatch service. A precursor to KernelCare Enterprise, it’s a service that could patch Ubuntu servers on the fly – without the need to restart the server.

However, Ubuntu’s livepatch didn’t support servers outside of the Ubuntu ecosystem which meant it wasn’t a universal solution given that Mirsad’s team relied on Debian machines as part of their OS mix. While livepatch helped support their Ubuntu workloads, the University’s Debian servers have been left without a solution. The search continued until the team’s research efforts paid off and they came across the KernelCare Enterprise service.

Seamless, successful implementation

Getting started with KernelCare Enterprise was simple. In fact, the subscription fees for the product were so affordable and the potential of what it could deliver so high that the team signed up for a test account right away – they didn’t even wait for funds approval, paying for the initial license fee out of a personal PayPal account.

KernelCare Enterprise quickly demonstrated its power. Servers that run KernelCare Enterprise are continuously updated with the latest Linux kernel patches, and there was no need to restart after every update. The CARNet team didn’t need long to see that rolling out the product across its technology estate was going to be a game-changer.

Integrating KernelCare Enterprise was simple too. All it took was running a script – a process that can be automated across large server fleets. Essentially, after a brief trial period and with the flick of a switch, the team activated it across its entire server environment.

Interestingly, one point quickly emerged. The team was surprised to find out that their “fully patched” Debian Jessie servers had 91 vulnerabilities. Thankfully, this was rapidly and effortlessly patched with KernelCare Enterprise.

Patching success with KernelCare Enterprise

Thanks to KernelCare Enterprise, achieving patching success was a really simple process for the CARNet team – there were no glitches, from testing through to rollout. It was quickly clear that the benefit of deploying KernelCare Enterprise vs. not using live kernel patching significantly outweighed the relatively minimal costs of subscribing to KernelCare Enterprise.

Writing long apologetic emails that non-technical users wouldn’t understand anyway became a thing of the past, and there was no longer a need to set up complicated upgrade processes – and no disruption for users.

CarNET’s team praised the support received from TuxCare – with TuxCare responding to support requests within tens of minutes and solving problems within hours. According to Mirsad, “The TuxCare support team has been very open to suggestions to improve an already excellent service, and I feel almost like a part of the developer team.”

Now, after two years working with TuxCare and the KernelCare Enterprise solution, Mirsad says that: “as for today, I see no alternative to the product at that level of price and reliability, and we are going to stick with the KernelCare Enterprise solution.”