patch management - 2013
TRANSCRIPT
AUG 2013
Vicky AmesIS Security
Patch Management Program Training
Agenda
What is Patch Management?
Why is it important?
Which patches are we applying?
How do we manage patches?
When do we patch?
Who is responsible?
Future Plans
2
What is Patch Management?
Part of our overall Vulnerability Management strategyPatches are released by vendors to address issues
identified with their code Often security related Sometimes performance or functionality related
Patch Management is the formal program we use to address the need to apply these patches to our systems Identify available patches Select patches to be applied Ensure they are applied according to our policy Tested to ensure no negative impact Validate they have been applied
3
Why is Patch Management important?
Patches generally address security issues that if left unpatched could lead to Denial of Service Viruses, Worms, other Malware Data exfiltration Other malicious activities
Malicious code is generally available to take advantage of significant vulnerabilities within two days from patch release
Defense in depth
4
Which patches are we applying? Microsoft
OS patches Middleware patches
Open Source (AIX, Solaris, Red Hat) OS patches
Web Servers Apache, Tomcat and IIS
Databases Those that can be patched will be when patches are released and
through service packs
Thus far we have had 0 issues caused by a patch pushed by this program Rebooting systems has uncovered issues related to the system or the
application Other underlying conditions are revealed after patches are applied Good to have happen during patching
During scheduled maintenance window Teams are already engaged and can diagnose quickly
5
How do we manage patches?
All systems (servers and workstations) are subject to monthly patching Lab systems excluded for now
Leverage existing maintenance windows
Vulnerability Management Team meets monthly to decide which patches to apply
All servers are assigned to 1 of 4 patch groups Group 1 intended to be DEV Group 2 intended to be QAS/INFRA Group 3 intended to be PROD Group 4 intended to be for manual patching
Ensure we patch systems in Group 1 or 2 before we get to Group 3 so we can test patches before they hit production
Adhere to Change Management process
6
When do we patch?
2nd Tuesday of every month is “Patch Tuesday”
Team meets the next day to determine which patches to push
Group 1 patched the following Sunday 00:01 – 11:59
Group 2 patched the following Sunday 00:01 – 11:59
Group 3 patched the following Sunday 00:01 – 11:59
Group 4 patched the following Sunday 00:01 – 11:59
Schedule posted on ITCM Sharepoint site
Quarterly extended maintenance window
7
When do we patch?
Exceptions Process Request should be submitted 5 business days in advance of the
patch window Open a service desk ticket Required information
System name(s) Application(s) impacted Justification for exception request Exclusion date requested Date patches will be applied
Granted by Vulnerability Management Program Manager Backup is Director Information Security
Only granted for 1 patch cycle If needed for longer we will discuss alternative solutions
8
Who is responsible?
Wintel and Open Source Teams SME Apply patches
Contract Team Middleware Testing
Security Team Program oversight and validation
System Owners Some patching Some testing
9
Future Plans
Citrix systems late 2013
Expect to incorporate more 3rd party Middleware in 2014
10
Appendix
Appendix A – Patch Schedule
Appendix B - Links
11
Appendix A – Patch Schedule
12
Month Security Meeting Group 1 (Dev/Test) Group 2 (Infrastructure/QAS) Group 3 (Production/Network)1/1/2013 Wednesday, January 09, 2013 Sunday, January 13, 2013 Sunday, January 20, 2013 Saturday, January 26, 20132/1/2013 Wednesday, February 13, 2013 Sunday, February 17, 2013 Sunday, February 24, 2013 Sunday, March 03, 20133/1/2013 Wednesday, March 13, 2013 Sunday, March 17, 2013 Sunday, March 24, 2013 Sunday, March 31, 20134/1/2013 Wednesday, April 10, 2013 Sunday, April 14, 2013 Sunday, April 21, 2013 Saturday, April 27, 20135/1/2013 Wednesday, May 15, 2013 Sunday, May 19, 2013 Sunday, May 26, 2013 Sunday, June 02, 20136/1/2013 Wednesday, June 12, 2013 Sunday, June 16, 2013 Sunday, June 23, 2013 Sunday, June 30, 20137/1/2013 Wednesday, July 10, 2013 Sunday, July 14, 2013 Sunday, July 21, 2013 Saturday, July 27, 20138/1/2013 Wednesday, August 14, 2013 Sunday, August 18, 2013 Sunday, August 25, 2013 Sunday, September 01, 20139/1/2013 Wednesday, September 11, 2013 Sunday, September 15, 2013 Sunday, September 22, 2013 Sunday, September 29, 2013
10/1/2013 Wednesday, October 09, 2013 Sunday, October 13, 2013 Sunday, October 20, 2013 Saturday, October 26, 201311/1/2013 Wednesday, November 13, 2013 Sunday, November 17, 2013 Sunday, November 24, 2013 Sunday, December 01, 201312/1/2013 Wednesday, December 11, 2013 Sunday, December 15, 2013 Sunday, December 22, 2013 Sunday, December 29, 2013
Green indicates extended maintenance window
Appendix B - Links
Security Policies - Patch Management Policy is IT-AP-SEC-008-01– http://sharepointportal/Departments/InformationTechnology/ITDL/
Administrative%20Policies/Forms/AllItems.aspx
ITCM Site - patch schedule is on the right under Links– http://sharepointportal/Departments/InformationTechnology/RFC/
Default.aspx
Microsoft Security Bulletins– http://technet.microsoft.com/en-us/security/bulletin
Information Security Sharepoint site– http://sharepointportal/Departments/InformationTechnology/
InfoSecurity/default.aspx
13