Once past the EOS date, Microsoft will no longer provide additional security updates and patches for new threats and vulnerabilities. Hackers are very aware of this – and often see old systems as easy targets for attack. Many servers worldwide have been exploited with ransomware attacks such as WannaCry, Petya & REvil because they were using out of date Windows systems.
What are the options?
- Migrate to Azure, but that’s not always possible for legacy applications
- Request Extended Support, but that’s incredibly expensive
- Hope to not get hit….but since previous server (2008) went EOS in 2020 Trend Micro have seen 197 new vulnerabilities already
- Deploy Deep Security with Virtual Patching from Trend Micro
If upgrading is not an option, the move to Extended Support can seem the easiest option. But it comes at a cost – as our simple calculator can demonstrate, using standard Microsoft pricing.
The Extended Security Update (ESU) program from Microsoft is the final option for organisations running legacy products where support is expired. Security updates are provided that are rated critical or important only, but Microsoft recommend upgrading or migrating. You can learn more about ESUs here.
But even with that, challenges remain:
- Business continuity: patching can be slow and disruptive, especially for legacy applications
- Amount of vulnerabilities to patch: again, the older the system, the more this has an impact
- Frequency of patch cycles: Again, this can have an operational impact
- Legacy and unpatchable systems: Legacy apps may not even be fully protected, and not covered by Extended Support (which only covers the Microsoft Operating System, not what runs on it)
- Business continuity. The patching process can be so slow, disruptive, and costly that some opt to postpone or stop it to avoid operational downtime.
- Number of vulnerabilities to patch. This is increased as infrastructure is upgraded, and based on our data, discovered and reported vulnerabilities increased by 10% in 2021.
- Limited visibility. Cloud infrastructures involve more complex update processes, especially across multi-cloud environments.
- Frequency of patch cycles. This can make patching difficult to manage efficiently, especially when it’s hard to determine which vulnerabilities are the most relevant or critical.
- Legacy and unpatchable systems. Patches may no longer be issued to systems and applications that have already reached their end of life or support, even if they’re still used to run mission-critical operations.
Virtual patching — or vulnerability shielding — acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patching works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability.
- Buys additional time, giving security teams the time assess any potential vulnerability
- Avoids unnecessary downtime through investigations or patching schedules
- Improves regulatory compliance, when running systems on out of support agreements like Windows Server 2008 and 2012
- Provides an additional layer of security for both the OS and applications
- Provides flexibility, and the ability to retain legacy applications