patch management

7/21/2019 Patch Management

http://slidepdf.com/reader/full/patch-management-56d87b57a3289 1/38

Vulnerability and Patch Management

Dr. Thomas Moore, Ph.D.

EMBA, BCSA, BCSP, CISSP, CISM, LCNAD



Vulnerability Management:

What, why, how



What isVulnerability Management?

The ability to assess and secure multi-platform environments.– Protection from internal vulnerabilities such as:

• Machines that do not have the latest hot fixes or service ac!s loaded

• People who have i"aroriate ri#hts to files and directories

• sers who have no asswor$s or easily guessed passwords

• Acco%"ts that have not been disabled once an employee is no longer withthe company

• !mployees who are going against corporate o&icies and who are sendingemails with inappropriate content

Protection from e"ternal vulnerabilities such as:

• n#nown$unsecured %P devices

• &pen ports

• !asily guessed passwords



What isVulnerability Management?

'ombination of management and security tools into one product.!"amples of Management tools:

– (utomated documentation for disaster recovery

– )is# space analysis

– 'ontent scanning *M+ !"change,

– Mailbo" moves *M+ !"change,

– 'hange impact analysis *M+ +,

The ability to audit and document your improved security.

– /e0uisite in ban#ing$healthcare$government or any highly regulatedindustry

– +taff augmentation *cost savings,



Why Vulnerability Management

(ccording to 1artner:+ecurity continues to be one of the topthree issues for '%&s.

Windows2 %%+ and + +erver are the three#ey areas prone to attac#.

3445 was the first time that the securitybudget for the average enterpriseconstituted more than 67 of the overall %Tbudget 8 showing up on the '%&9s pie chart



(lso according to 1artner2 some ways to 0uantify whatyou do are:

• What percentage of #nown attac#s is theorganiation vulnerable to?

• When was that percentage calculated?

• What percentage of company software2 peopleand supplies have been reviewed for securityissues?

• What percentage of downtime is the result of

security problems?• What percentage of nodes in the networ# are

managed by %T?

Why Vulnerability Management



'%& Magaine$PW' survey2;6&'T45:

The top three security-related organiationalpriorities for 3445 were:

• /aise e"$ %ser aware"ess of policy < procedures 8 667• Train staff 8 5;7• )evelop security policies and standards 8 =67

This same survey stated that >47 of orth (mericancompanies used liability as a @ustification forsecurity investments.

(lso in the study2 security investments are @ustifieddue to:• iability$e"posure 8 AB7

• /egulatory re0uirements 8 6=7

• /evenue impact 8 547



Vulnerability Management: More%nsight

(ccording to a +ummer 344= %nfoPro +tudy2 the top operationalproblems or pain points that are driving spending are:C (udit$compliance related 8 5;7C Technology related 8 547C +tandards related 8 ;A7

DThe numbers are staggering: >324B5 new vulnerabilitiesdiscovered in software and hardware last year. ThatEsup A5 percent from 344;. (nd in the first 0uarter of thisyear alone2 the number was FA2545. The volume of flaws

found has been rising at an alarming rate for as long aspeople have #ept statistics.G --eWee#2 (ug. ;;2 344=



VM Trends

“Which of the following would you say is your companyEs highestpriority technology initiative for %T in the ne"t year?G

C Hardware upgrades not as#ed in 3443.

*

• Manage infrastructure still I;J

• &+ upgrades and security *e0ual,

Windows and .!T Magaine *May, 3443 vs. 344= +tudy /esults



Why implement a VM solution?

•Multiple threats across a complex IT infrastructure

•Multiple IT Managers are accountable for specific piecesof the infrastructure, but not all

•Native tools do not provide enterprise-level,consolidated assessment and audit

•A breach in any one area can affect the entireinfrastructure

•rgani!ations must comply "ith some mandatedstandards and practices across the enterprise

•Time and efficiencies gained



uic# ui:

#$ %o" many machines does it ta&e to ma&e a net"or&completely vulnerable'

($ Name three "ays a net"or& may be vulnerable'



/emediate (udit$

(nalye(ssign otify

Publish'ertify$Verify

)efine /ules

Policy 'omplianceVulnerability Management

)irectory (dministration < Migration

/epeat

/is# Management ifecycle



Kenefits of ifecycle

• %ncrease audit coverage and fre0uency

• oo# at ( your servers and wor#stations2( the time

• Provide policies to measure against

• (chieve constant state of audit

More Covera#e ' Com&ete Po&icies ( Less )is!



(utomating the ifecycle

• What percentage of your machines do you auditregularly today?

• Lor best security2 how many should you audit?

• How often do you complete your audit cycle?

• &nly an automated solution can:– (udit ;447 of machines

– %ncrease your audit fre0uency

– )ecrease the time to remediate

– /educe ris#s () reduce costs at the same time



+ustainability

• %s this more wor# than you are doing today?– !+JJ (nd it will continue to growN

– +tart owJ

• With all the other things that are going on2 how can %not only create 8 but mai"tai" a secureenvironment.– 'reate Policies

– (utomate (ssessment with software tools *VM,

– /emediate *VM,

– !valuate *VM,

– +tart &verJ *VM 8 using scheduling,



(ny pitfalls?

Technical:

• )epth of reporting *granularity2 ad-hoc V+ predefined,

• 'losed loop problem identification and /emediation

• +calability– (gents and their associated maintenance

– parallel processing

• ac# of centralied management *combination of

security2 auditing and management tools bundled into product,



&ther benefits

Kusiness reasons:

• =4-F47 reduction in business losses due to downtime

• 34-F47 reduction in lost opportunity costs

• 34-647 reduction in mediation2 recovery time andassociated costs

• ;4-=47 reduction in lost productivity of non-%Tpersonnel

• ;-37 legal e"posure and costs

• ;4-=47 deployment and maintenance



Testimonials

D*VM, solutions reduced our business loss anddowntime when %M)( hit.G DNput out the ;.;million hits that we too#. That was huge.G 8 arge

mid-west financial organiation

DNvulnerability management solution2 we realiedmore than O;24442444 in /&%.G 8 Llorida Hospital



ew trends

on-credentialed scans

• Kenefits– 'ross-platform

– )oesn9t re0uire administrative rights to scan device– eep up with the latest vulnerabilities

– &$+ Lingerprinting with version identification

– %dentify every %P device on the networ#

Total )evices – Managed – *nmanaged

+ogue Machines



Patch Management



What is a patch?

• ( patch2 or Hot Li"2 is an updated file or set of files*e"e2 dll2 sys2 etc, that fi"es a software flaw

• Two types of patches:– +ecurity patches:

Patches that address #nown security vulnerabilities– on-security patches:

Patches that improve performance or fi" functional problems

• +ervice Pac#s– 'ontains all previously released security and non-security

patches *rollups,– 'ontains new patches also



Race Against TimeRace Against TimeCompanies have less time to patch software flaws before Internet worms hit their computer systems.

ame of Worm Vulnerability (lert umber of )ays Worm /eleased

Melissa )ec$ #, -- ./ March (0, --

+admind )ec$ (-, -- 1-. May 2, 3#

+onic 4uly #2, 33 #31 ct$ 53 33

Kugbear March (-, 3# //3 6ept$ 53, 3(

'ode /ed 4une #2, 3# 5# 4uly #- 3#

imda Aug$ #/ 3# 51 6ept$ #2 3#

+pida April #0, 3( 51 May (#, 3(

+ +lammer 4uly (1, 3( #2/ 4an$ (/ 35

+lapper 4uly 53, 3( 1. 6ept$ #1, 3(

Klaster$Welchia$achi 4uly #., 35 (. Aug$ ##, 35

Witty March #2, 31 ( March (3, 31

+asser April #5, 31 #0 April 53, 31



What is patch management?

The process2 through which companiesN

• determine which patches are missing from theirenvironment

• deploy those patches to end user machines

• verify patches were successfully deployed

Automation is a key element of the patch management process. – Computerworld July 200

!"he num#er of patches released makes it almost imperative to employ

automated solutions$ –%artner



Two ey 'omponents

• (n analysis to determine whether or not a target machine is patched

• The distribution of a patch to a target machine

Assessment

7ac&aging 8 )eployment



)eployment &ptions

7atch Assessment

ption 9#:

7ac&agingption 9(:

)eploy to end;user

)eploy to end;user

"< soft"are deployment



Patches for &+ Platforms

Companies have to manually create and keep up to

date a spreadsheet illustrating which patch goes for

which operating system!



'hec# in with the e"perts

• The manual process of patching thousands ofwor#stations and servers in an environment isDnearly impossibleG. *Com%terwor&$+%&y -, /0012

• D1artner estimates that %T managers now spend upto two hours every day managing patches.G*Com%terwor&$+%&y -, /0012



Patch (ssessment-'onsiderations

• (udit the patch process– Why is patch needed?

• /eboot re0uired?• nsigned driver?

• 'onduct an in-depth assessment– 'V! number

– (ffected product

– /eason patch is missing– Kulletin %) < name



Patch (ssessment2 how

( comprehensive meta document2 called M++!'/!.QM2 providesthe intelligence used to analye whether or not a patch isinstalled. %t contains security bulletin name and title2 detailedproduct specific security hotfi"es2 including:

– Liles in each hotfi" pac#age with their file versions andchec#sums

– /egistry #eys that were applied by the hotfi" installationpac#age

– %nformation about which patches supersede other patches

– /elated Microsoft nowledge Kase article numbers– Third party analysis of threats posed by a patch9s vulnerability– in#s to additional information from KugTra02 cross references

to 'V!s2 and more



Patch )eployment

Patch pac#aging

Wiard-based pac#age creation

)ecentralied2 scalable patch distribution method

Pac#aged using standard technology

Patch )eployment Pac#aged %

'entralied patch depolyment

(d-hoc patch distribution

Test deploy



Patch Pac#age 3 Bat 4i&e Creatio"

Example bat file created to install patches.

Without Bindiew you would have to create this

manually for every workstation and patch.



+olution considerationsAgentless

Scalability

Scheduling

Baselining

Executive reportingview

!etailed patch analysis

Comprehensive pre"patch auditing

#ost patch verification auditing

$lexiblecomprehensive patch selection %critical patches&

$lexible patch deployment %critical servers&

'ffice C! central source

Rollbac( capabilities



'ommon Patch Management Tools in!nterprise !nvironments

Microsoft Kaseline +ecurity (dvisor *MK+( ;.42 ;.3,

Microsoft +oftware pdate +ervice *++,

Microsoft +ystems Management +erver *+M+ 3.42344=,

(ctive )irectory 1roup Policies



Microsoft Kaseline +ecurity (dvisor *MK+(;.42 ;.3,

)esigned for small to medium businesses *less than644 machines or ;644 users

o centralied management server or reporting

services

o distributed agents for data collection

)oes not distribute patches

When used with +M+2 developers still have tomanually create patch pac#ages



Microsoft +oftware pdate +ervice *++,

'orporate windowsupdate.com

)oes not evaluate Dbac# officeG applications such as!"change or %%+

o reporting2 only basic log analysis

o distributed agents or distribution points

f



Microsoft +ystems Management +erver*+M+ =.4,

)oes not specifically target security

+oftware deployments *including patches, must becreated manually

o easy way to report on only security patchdeployments



(ctive )irectory 1roup Policies

ot designed for patch deployment

'annot report on software deployments

Targeted distribution points is cumbersome. oumust use multiple 1P&s which is not recommended

'annot monitor software pushes



<(

patch management

Documents