Proof of value (POV) is a key step in the buying process. It allows tech teams to test a product or service to find out whether it is fit for purpose, and a good match for the team’s needs. That’s why KernelCare offers a free seven-day period where you can test KernelCare for yourself.
It’s nonetheless a limited time period, and you need to make the best of it. In this article we outline some of the points you should think about when you try out KernelCare Enterprise in your organization.
Why does KernelCare matter so much to tech teams?
You already know what KernelCare Enterprise does – live patching of Linux-based machines – but why is there such a big need for this technology? Let’s recap.
Patching is critical. Every unpatched service presents a window of opportunity, and with today’s broad, automated attacks all it takes is a single unpatched service and the enemy walks right through the door.
Despite the risk that patching poses there’s still a persistent problem with patching inconsistency. A recent Ponemon report suggests that a staggering 56% of respondents admitted to delays of over five weeks when it comes to patching critical vulnerabilities. A month-long gap between the release of a patch for a vulnerability, and when that patch is applied, is a major window of opportunity for attackers.
So where does the problem lie?
Patching running workloads is tough
It’s a combination of practical limitations, and resource restrictions. Patching generally means that you need to take a machine offline. Traditionally, patching operations are performed using tools like apt, dnf, or yum (even when you’re using another patch or lifecycle management tool as a frontend). These are great tools for updating on-disk versions of vulnerable software.
However, when that software is already running, as the Linux kernel always is, changes on disk do not translate to changes to the current in-memory running code. Sysadmins deal with this situation by performing reboots after patching but reboots are disruptive, and just aren’t compatible with everyday business activities. It directly impacts IT systems’ availability, stability, and overall performance even when used in highly available scenarios.
This practical restriction gets in the way of patching, but so do restrictions on resources. Anyone can run an airtight computing operation if they had unlimited resources – but organizations just don’t have that luxury.
That’s why one of the key points of KernelCare Enterprise POV is to show you how easy it is to switch away from impractical, time-consuming patching to a patching routine that’s airtight – and to do so without consuming additional tech team resources.
Indeed, live patching with KernelCare Enterprise provides what is effectively the shortest risk window possible, giving you the ability to patch immediately as soon as the patch is available which in turn reduces attack vector exposure to the absolute minimum.
With KernelCare Enterprise switching vulnerable code with safe code in just microseconds, you won’t see an impact on your system performance either.
Taking a look at the advantages of KernelCare Enterprise
KernelCare Enterprise is, of course, not the first attempt at live kernel patching. But whereas performing a KernelCare Enterprise POV quickly proves that value, it’s not quite the case with other solutions, for a range of reasons. The number one issue with alternatives is reach: most of your alternative choices are limited to a single Linux OS.
For example, Livepatch is an Ubuntu service that supports, you guessed, only Ubuntu-based workloads. In turn, SUSE has kgraft, RedHat has Kpatch, and so forth. In the common use case where you run a variety of Linux OS versions to support your solutions it creates an issue in that you need to manage many different live patching services. This creates technical issues with supporting different applications, as well as administrative overhead from multiple support contracts for the same purpose.
When running your KernelCare Enterprise POV project it’s also worth testing for stability in comparison to other solutions. In contrast to some solutions that are essentially not production-ready, KernelCare Enterprise is a stable and proven platform that has consistently delivered quality patches for years.
A good starting point for the POV is, in a lab environment, deploying an older version of your favorite Linux distribution. It’s important to note that, if you deploy an up-to-date version of that distribution, you won’t be able to see how KernelCare Enterprise deploys patches, as there won’t be any to deploy. You could, if you opt for a recent distribution, downgrade glibc and openssl packages. Those are critical system components also covered by KernelCare Enterprise, which are prime targets for malicious actors and have a hefty number of available vulnerabilities and patches.
Improved flexibility and control over live patching
The live patching tools we mentioned also have limited flexibility, which is another key advantage of KernelCare Enterprise. Take a simple example, KernelCare Enteprise’s live patching operations are reversible. If at any point you need to remove an applied patch you can do just that, and revert to the previous patch. This process is also fully auditable.
This flexibility inherent to KernelCare Enterprise is possible due to the way the patches are created. When a patch is created, it will include all the patching so far applied for that version of the kernel. That avoids the situation where you have patches on top of patches that make it near impossible to revert to a previous state. For that reason, other live patching solutions can only fix the most simple bugs, while KernelCare Enterprise can, and has, patched even MDS vulnerabilities like Zombieload.
Finally, the fact that patching is fully automated and done without the need for restarts means that teams responsible for patching have much tighter control over the rate at which patches are applied. In running a KernelCare Enterprise POV, this is likely one of the first things you’ll notice about KernelCare: it saves your team stacks of time.
This is a very important point to consider. When a critical vulnerability is announced and it affects one (or more) of your systems, there is a clock that starts ticking down, counting the time it takes for exploits to appear and malicious actors to start probing for the vulnerability.
Eventually, your systems will be targeted. If at that point you still have not patched, your system can be hacked. This creates an issue – how to take down a system for applying the patch when it is business critical? KernelCare Enterprise turns this into a simple situation where once a patch is available, the patch is immediately applied with zero disruption. You control when you want to apply the patch – or do it automatically – rather than being forced into a situation where you are going to disrupt business activities and still don’t respond within a reasonable time window.
Fully managed solution
KernelCare is compatible with many of the existing management tools you may already be using in your infrastructure. For example, in your POV project, you can test how where a traditional vulnerability scanner flags a system for running an out-of-date kernel, KernelCare Enterprise can provide a mechanism to check the running version – rather than the on-disk file version. Tools like Nessus, Qualys and others are supported, and the instructions can translate easily to other tools.
This is especially important in compliance situations where you want to have reports that systems are indeed patched. When a monitoring tool is not aware, or not integrated, with a live patching tool, you can have situations where systems are wrongly flagged as still vulnerable, forcing you to go through the reports and manually fix the reports – something that compliance auditors will quickly notice and question.
Where you want to be hands off you can be, because KernelCare is also easily deployable through automation mechanisms. You can install the agent using a single command, adding KernelCare to system templates when preparing deployments is simple. This simplicity carries through to large-scale deployments in existing, running environments. You can of course test large-scale deploying during POV by deploying in a lab environment.
When you have a large fleet of non-publicly accessible servers, or just want finer grained control over which systems receive which patches, KernelCare Enterprise also provides a centralized control panel called ePortal, that acts as a gateway between your private systems and the patch source. Your systems never have to be exposed to the outside world while still receiving the latest patches, providing you with an at-a-glance view of the state of all systems protected by KernelCare Enterprise.
Fully automated, flexible, and broadly compatible
KernelCare supports over 4000 combinations of distributions and kernel versions as an added benefit. This is far ahead of other alternatives and even more so when compared to single distribution vendors that have some form of live patching.
Having multiple distributions in an enterprise environment is a typical occurrence so KernelCare really makes life much easier for enterprise patching teams who now have a single tool that can flexibly keep Linux kernels continuously up to date.
We’re confident that the 7-days proof of value period will give you a good opportunity to step through the various benefits of KernelCare, and to see how it works for your organization. You can sign up here. If you would like assistance setting up your test scenario, let us know, we would be happy to assist.