© 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch...
-
Upload
clara-jenkins -
Category
Documents
-
view
218 -
download
2
Transcript of © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch...
![Page 1: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/1.jpg)
© 2003 Spire Security. All rights reserved.
securityiSP RE
Expert’s guide for effective patch managementPete Lindstrom, CISSPResearch Director
Spire Security, [email protected]
![Page 2: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/2.jpg)
© 2004 Spire Security. All rights reserved. 2
Agenda
Vulnerability Lifecycle
When to Patch Decision
Patch Management Process
Example + ROI
Key Criteria for Automated Patch Management
![Page 3: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/3.jpg)
© 2004 Spire Security. All rights reserved. 3
Vulnerability Lifecycle
1. Vulnerability Created (latent)
2. Vulnerability Discovered
3. Vulnerability Disclosed
4. Patch Released
5. Exploit & Intrusions
6. Patches Applied
![Page 4: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/4.jpg)
© 2004 Spire Security. All rights reserved. 4
less
Vulnerability Lifecycle
vulnerabilitycreated
vulnerabilitydiscovered
vulnerabilitydisclosed
patchreleased
exploit zone
patchesapplied
“responsible”disclosure
more
Time
patch zonesafe zone
bigger is better smaller is better
Can I mitigate?
FOCUS HERE
![Page 5: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/5.jpg)
© 2004 Spire Security. All rights reserved. 5
Decision: When to Patch
Too soon may lead to failures caused by the cure.
Too late may lead to compromised systems.
The answer: Compare the costs of patching/not patching and patch when it is cheaper.
“Timing the Application of Security Patches for Optimal Uptime” – Beattie et.al. http://nxnw.org/~steve/papers/lisa2002-time-to-patch.pdf
![Page 6: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/6.jpg)
© 2004 Spire Security. All rights reserved. 6
Decision Options
Am I at risk?
Can I turn it off? Can I block it?
Can I patch it?
mitigateeliminate
remediate
![Page 7: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/7.jpg)
© 2004 Spire Security. All rights reserved. 7
Timing
Virus/Worm Exploit Date Vuln Date Days
MyDoom 1/26/04 none n/a
Blaster 8/11/03 7/16/03 26 days
Sobig 8/18/03 none n/a
WebDAV 3/10/03 3/17/03* -7 days
Slammer 1/25/03 7/24/02 170 days
Slapper 9/13/02 7/30/02 45 days
Nimda 9/18/01 3/29/01 & 5/16/01
125 days
Code Red 7/16/01 6/18/01 28 days
![Page 8: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/8.jpg)
© 2004 Spire Security. All rights reserved. 8
Cost Elements
Cost to apply patches
Cost to recover from failed patches
Cost to recover from incidents and breaches
![Page 9: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/9.jpg)
© 2004 Spire Security. All rights reserved. 9
Cost to Patch
IT time to identify, assess, test, apply, validate patches.
End user lost productivity.
Risk-adjusted cost of patch failure.
Patch + r(Recover)
![Page 10: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/10.jpg)
© 2004 Spire Security. All rights reserved. 10
Cost to Not Patch
Lost productivity for the end user
Lost productivity for IT support personnel
Loss of revenue (direct)
Legal/regulatory costs
Intellectual property losses
Loss of stored assets (financial)
…all risk adjusted
![Page 11: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/11.jpg)
© 2004 Spire Security. All rights reserved. 11
Adjusting for Risk
Look at past history:o What % of systems hit in past?o What % of patches fail on what
% of systems?
Guesstimate using reasonable numbers.
Use industry averages… oh, none exist.
![Page 12: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/12.jpg)
© 2004 Spire Security. All rights reserved. 12
An Example
2,000 Systems
$70/hr IT support
1 hour to patch / 2 hours to recover
10% likelihood of patch failure
20% likelihood of compromise (pre-exploit)
![Page 13: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/13.jpg)
© 2004 Spire Security. All rights reserved. 13
A Simple Example
Pre-exploit, manual patching
Cost to Patch:o 2,000 x 70 = $140,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $154,000
Cost not to Patch:o 2,000 x 140 x 20% = $56,000
Decision: Don’t Patch
![Page 14: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/14.jpg)
© 2004 Spire Security. All rights reserved. 14
A Simple Example (2)
Post-exploit, manual patchingo Increases risk of compromise to 80%
Cost to Patch:o 2,000 x 70 = $140,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $154,000
Cost not to Patch:o 2,000 x 140 x 80% = $224,000
Decision: Patch
![Page 15: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/15.jpg)
© 2004 Spire Security. All rights reserved. 15
A Simple Example (3)
Pre-exploit, automated patching
Assume 1 patch per month
Cost to Patch:o Software Costs = $48,000o 1/12 of $48k = $4,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $18,000
Cost not to Patch:o 2,000 x 140 x 20% = $56,000
Decision: Patch
![Page 16: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/16.jpg)
© 2004 Spire Security. All rights reserved. 16
A Simple Example - ROI
Compare two patch scenarios:
Manual process: $154,000
Automated process: $18,000
ROI: $136,000
![Page 17: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/17.jpg)
© 2004 Spire Security. All rights reserved. 17
Patch Management Process
Identify – new patches.
Assess – applicability to environment.
Test – patches for need and interoperability.
Apply – patches to all appropriate systems.
Review – patch progress and history.
![Page 18: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/18.jpg)
© 2004 Spire Security. All rights reserved. 18
Key Features – Automated Patch Mgt
Platform Coverage
Research Depth
Workflow
Controlled Rollout
Validation
Rollback
![Page 19: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/19.jpg)
© 2004 Spire Security. All rights reserved. 19
Platform Coverage / Research
Operating Systems
Packaged Applications
Custom Applications
Vendor Information Pass-thru
Independent Analysis
Independent Testing
![Page 20: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/20.jpg)
© 2004 Spire Security. All rights reserved. 20
Workflow
Task Assignments
Scheduling
Approval System
Connect to CRM
![Page 21: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/21.jpg)
© 2004 Spire Security. All rights reserved. 21
Controlled Rollout
Group by system type or function
Queuing of patches
Bandwidth throttling
Store and forward
![Page 22: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/22.jpg)
© 2004 Spire Security. All rights reserved. 22
Validation/Rollback
Progress report
Verify patch application
Rollback for patch failures
Final report and review
![Page 23: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/23.jpg)
© 2004 Spire Security. All rights reserved. 23
Architecture
Communications
Agent/Agentless
Push/Pull
Hierarchies/Peerso Serverso administration
![Page 24: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/24.jpg)
© 2004 Spire Security. All rights reserved. 24
Deployment Options
Scripts
Remote control solutions (Auto Update or internal)
Asset/Inventory solutions
Patch Management solutions
![Page 25: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/25.jpg)
© 2004 Spire Security. All rights reserved. 25
Patch Management Solutions
Shavlik
Ecora
Patchlink
Bigfix
Altiris
GFILanguard
http://www.ntbugtraq.com/patchresults.asp
![Page 26: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/26.jpg)
© 2004 Spire Security. All rights reserved. 26
Microsoft Options
Windows Update
Microsoft Baseline Security Advisor (MBSA)
Software Update Services (SUS)
Systems Management Server (SMS)
Office Update
Microsoft Update/SUS 2.0
![Page 28: © 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.](https://reader035.fdocuments.net/reader035/viewer/2022062515/56649d015503460f949d4b44/html5/thumbnails/28.jpg)
© 2004 Spire Security. All rights reserved. 28
For more information
Thank you for joining us today.
For more info on patch management, including an archive of this webcast and Pete’s presentation without audio, visit our Featured Topic:
searchsecurity.com/featuredtopic/patchmanagement