Patch Management · The Importance of Patching • thousands of new vulnerabilities are discovered...
14
Patch Management Four Capabilities You Need (But Probably Don’t Have) MaaS360.com > White Paper
Transcript of Patch Management · The Importance of Patching • thousands of new vulnerabilities are discovered...
Patch Management
Four Capabilities You Need (But Probably Don’t Have)
MaaS360.com > White Paper
2
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
Introduction
PatCH MaNageMeNt: aN eSSeNtIal ProCeSSevery organization needs to apply software updates in a timely manner to prevent security breaches. allowing malware to infect unpatched holes in a system can lead to the loss of intellectual property, exposure of customer and employee information, regulatory fines, notification costs, damage to reputation, and loss of revenue.
evidence shows that patching is more important than ever. thousands of new vulnerabilities are discovered every year in both operating systems and Windows applications such as adobe reader, apple Quicktime and Sun Java. Hackers are exploiting known vulnerabilities faster, and the cost of data breaches remains high (see the text box on this page).
Patch management has also become a compliance issue. an increasing number of government and industry standards specify effective patch management as a necessary best practice.
Finally, patch management can be one of the most costly and time-consuming activities for It groups, at a time when budget dollars and staff time are desperately needed for new projects.
Table of Contents
Introduction .........................................2Patch Management: an essential Process .......... 2Few execute Patch Management Well .............. 3
Four Capabilities are often Missing ..............31. Incomplete reporting on Installed an Missing Patches ..................................... 32. Inability to Identify Corrupt operating System Patches ........................ 43. Inability to Patch Mobile and remote Systems ............................................. 44. Use of Manual Processes and Scripting ............................................ 5
examples of the Four Capabilities at Work ......6Detailed Patch reporting ............................ 6Identifying Corrupt operating System Patches .... 9Patching Mobile and remote Systems ............... 9Patching Without Manual Processes and Scripting ............................................... 10
the MaaS360 Family of Services ................ 12the MaaS360 Visibility Service ..................... 12the MaaS360 Control Service ....................... 12the MaaS360 Windows application Update Service ................................................ 12the MaaS360 Mobile Service ........................ 12the MaaS360 Healthcare and Financial It Compliance Services ................................. 12
Summary........................................... 13
end Notes ......................................... 14
The Importance of Patching•thousands of new vulnerabilities are discovered
each year (6,601 in 2009).i
•Vulnerability exploitation times are shrinking (from a typical 60 days in 2004 to often less than 10 days in 2009).ii
•Data breach costs remain high; according to one survey, $204 per record and $6.75 million per incident. iii
•effective patch management is increasingly recognized as a “best practice” for regulatory compliance.iv
• Inefficient patching is expensive.
3
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
.
FeW exeCUte PatCH MaNageMeNt WellIf the patch management process at your organization is less than ideal, you have a lot of company. according to one recent survey of large enterprises:
•only 45% rate their patch management process as “mature,” while 55% admit a lack of workflows, tools or defined policies.
•26% have no formal testing of patches before deployment.
•38% rely at least in part on user complaints to validate successful patch deployments.
•54% are unable to measure adherence to policy.•68% are unable to measure time to deploy
patches.v
Do these shortcomings make a difference? It certainly seems so: three months after Microsoft published security bulletin MS08-067 with a patch to defend against the well publicized and highly malicious Conficker/Downadup worm, 30% ofWindows-based computers still had not been patched. vi
Four Capabilities are often Missingthere are many reasons why patch management is less than optimal in most enterprises. In this white paper we will not examine all of the components that go into an effective patch management process. But, we will look at four patch management capabilities that are lacking in a majority oforganizations.
these capabilities sound simple, but they can make a very big difference in the efficiency and effectiveness of patch management.
two of these capabilities involve reporting:
1. Detailed reporting on installed patches and missing patches on PCs and laptops.
2. the ability to identify “corrupt” operating system patches and incomplete installations.
the other two capabilities are related to the patch deployment process:
3. the ability to patch mobile and remote systems, as well as laN-based systems.
4. the ability to deploy patches without manual processes and extensive scripting.
1. INCoMPlete rePortINg oN INStalleD aN MISSINg PatCHeSDetailed Patch Reporting: A Critical ToolDetailed reporting on installed and missing patches can help It operations and security groups to:
• Identify laptops and PCs with vulnerabilities that require immediate attention to eliminate security vulnerabilities.
•track the progress of patch rollouts and deployments.
•troubleshoot problems in patch deployment processes.
•Document security and compliance processes for auditors.
there are also some less obvious but equally important benefits from accurate patch reporting:
•assisting help desks and support groups to diagnose problems, especially when the application or removal of a patch causes other software to fail.
•Helping manage “rush” situations when a high-priority patch needs to be deployed quickly, without full testing.
In short, comprehensive patch reporting can help enterprises improve security by identifying vulnerabilities, improve operational efficiency by tracking and troubleshooting patch rollouts, and reduce the cost of preparing for compliance audits.
4
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
.
Why Don’t Organizations Have Good Patch Reporting?If good patch reporting is so important, and if almost everyone has had a patch management process in place for several years, you might expect that most enterprises would have good reporting on installed and missing patches.
But, in fact, this is not the case. as noted above, one survey found 54% of enterprises could not measure adherence to patching policy, and 68% were unable to measure time to deploy patches. anecdotal evidence suggests that a majority of enterprises can’t produce a report showing all of the workstations that are missing a specific patch at a specific point in time.
there are many reasons for this less-than-optimal situation. Many organizations:
•rely on homegrown patching tools or scripts that have no reporting component, or only a rudimentary one.
•Use multiple tools from different vendors, so reporting is fragmented.
•Use patching tools that are designed for laN-based systems that don’t work, or don’t work well, with mobile and remote computers.
even many of the more advanced patch management tools on the market require customers to place extra servers and software in the DMZ or outside of the corporate perimeter in order to monitor patches on mobile and remote systems. Many organizations refuse to pay for the duplicate infrastructure. those that do, incur additional capital and operating costs.
later in this white paper we will look at an example of detailed patch reporting, and how it can be implemented to include reporting on mobile and remote systems without a duplicate infrastructure.
2. INaBIlItY to IDeNtIFY CorrUPt oPeratINg SYSteM PatCHeSMark twain once said “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.”
Unfortunately, most patch management systems can be misled into thinking operating system patches are being installed when in fact they are unable to perform their function. this can occur for several reasons, including:
•a missing or corrupt file.•a file overwritten or deleted by a user, a
program, or a virus, perhaps long after it was originally installed.
Most patch reporting systems simply look to see if patches are listed in the Windows registry, but cannot identify conditions that may cause them to fail.
the capability of identifying corrupt and incompleteinstallations is therefore essential to prevent administrators from thinking systems are protected when, in fact, they are still vulnerable.
3. INaBIlItY to PatCH MoBIle aND reMote SYSteMStoday It groups need to manage a world of mobile workers and distributed work. For several years now laptops and notebooks have outsold desktop PCs. vii one recent survey found that roughly half of office workers (48%) work outside the office at least one day a week. viii
Mobile and remote workers may spend hours or even days using Internet-based applications or surfing the web without connecting to the corporate network. During this time they are exposed to viruses and attacks.
Unfortunately, many of these mobile workers are not properly protected, because most patch management systems were designed and optimized for computers inside the corporate firewall, attached to an office laN, not for distributed devices.
Many patch management systems can only monitor and patch computers when those computers are attached to an internal laN, either directly or through a virtual private network (VPN) connection.
5
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
.
other products don’t work effectively through a firewall. they can monitor and patch distributed computers from servers outside the corporate firewall, but only with redundant servers in the DMZ or in multiple locations. Such duplication leads to extra costs, additional effort, and increased chancesof human error.
as the number of mobile employees increases, so do the security and cost advantages of being able to patch mobile and remote devices with the same patch management systems used to patch computers on corporate laNs.
4. USe oF MaNUal ProCeSSeS aND SCrIPtINgMost home-grown patching systems, and many vendorproducts, rely on manual processes and extensive scripting to distribute and install patches.
an organization that relies on a home-grown patching system might have to use time-consuming and unreliable methods for the activities outlined below.
Monitoring New Patchesas pointed out by Jason Chan in Essentials of PatchManagement Policy and Practice: “an organization needs a point person or team that is responsible for keeping up to date on newly released patches and security issues that affect the systems and applications deployed in its environment.” ix
to be able to apply Windows patches promptly, security administrators, or members of the PC operations staff need to monitor the Microsoft techNet web site regularly, or else subscribe to and monitor email, rSS, or instant messaging alerts.
In many cases it is necessary to download multipleversions of a patch, for different operating system versions.
Detecting Missing Patchesafter a new patch is announced, most organizations rely on a combination of scripts and scanning tools such as Microsoft Baseline Security analyzer (MBSa) to determine which systems are missing the patch.
often scripts need to be adjusted and the scanning tool launched for each patch that is being monitored.
Assessing VulnerabilityMembers of the security or PC operations staff need to assess new patches to determine which ones are critical for the organization and will have the greatest effect in controlling overall exposure and risk.
this is typically a manual activity performed by looking at third party assessments of the criticality of patches (critical, important, moderate, low) and analyzing output from a scan tool to determine how many systems in the organization need the patches.
Creating Execution Packagestypically someone on the PC operations staff needs to create packages to apply patches on target PCs and laptops. the execution package needs to take into account the scheduling and reboot requirements, as well as corporate policies.
Creating execution packages usually requires the coding of logon scripts or the use of scripting tools.
Distributing PackagesPackages that include the patch and the installation script need to be distributed to test systems, and then to target PCs and laptops throughout the organization. Distribution methods vary widely, from Microsoft tools like SMS and WSUS, to logon scripts and manual links to PC users, to specialized software distribution products.
these methods range from highly manual (and error-prone) to primarily automated. However, as noted earlier, even many of the automated software distribution tools are not reliable in applying patches to mobile and remote systems that do not connect regularly to the corporate laN.
Validating Successful InstallationsMost organizations use scripts to look at registry key entries to determine if patches have been installed and vulnerabilities addressed.
6
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
as noted earlier, because most scripts look only at registry entries, they often are unable to detect incomplete or corrupt patch files.
Ongoing Monitoring for Missing Patcheseven the best patch distribution and installation tools are subject to problems. and as noted earlier, patch files can be overwritten or deleted by users, programs and viruses long after installation.
Most organizations rely on a combination of scripts and scanning tools to monitor missing patches on an ongoing basis. this requires scheduling scans and monitoring the results continuously.
It should be clear from this review that relying on manual activities and scripts produces labor-intensive, error-prone processes. Scripts also introduce maintenance issues, because when changes are needed the original developer may not be available.
Most It organizations are resigned to manual processes and scripting in situations when no alternative is available.
However, as we will see later, using a patch distribution service can greatly reduce reliance on these methods.
examples of the Four Capabilities at WorkIn this section of the white paper we will illustrate how the four capabilities discussed above can be provided by patch reporting and deployment services. We will first show samples of detailed patch management reporting, and later show a “cloud computing” architecture that makes it easy to extend monitoring, reporting and patch deployment services to mobile and remote computers, as well as laN-based ones.
DetaIleD PatCH rePortINgDetailed patch reporting should provide administrators with the following types of information:
•Summary information on the number of missing patches across the organization.•Summary information on and the number of devices missing patches.•How many patches are missing on each device.•How many devices are missing each patch.• Inventory information on patches installed on each device.
Figure 1 shows two graphs that give summary information about missing patches across all Windows laptops,
7
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
netbooks and desktop PCs in the organization. the first graph tells how many systems are missing large numbers of patches, versus only a few. the second graph shows the total number of missing patches, and classifies them by severity (Critical, Important, Moderate or low).
graphs like these give administrators an immediate sense of the severity of missing patches in their enterprise.
after viewing such overview information, an administrator might want to know, “Which devices are missing the most patches, and what patches are they missing?”
Figure 2 is an example of a report that shows the devices with the most missing patches. Follow-up reports (as shown in Figure 5, later in this white paper) can be used to drill down and see exactly what patches are missing on each of these devices.
reports like these allow administrators to:
•Quickly identify “problem systems” that require immediate attention.•Find information about specific systems, to help with support and upgrade processes.• Identify patterns indicating problems in the patch management process (“Why are the computers in the
Chicago and Frankfurt offices missing so many patches?”).
But what about the administrator who wants to track the progress of a patch deployment?
Figure 1: graphs can show the number and severity of missing patches across the organization.
Figure 2: reports can show the number of missing patches on each device and identify problem systems.
8
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
Figure 3 is an example of a report that shows information about each patch, including name, size, release date, severity, and computers missing the patch.
reports like these allow administrators to:
•Quickly identify which critical and important patches are still missing from large numbers of computers.•track the progress of patch deployments over time.
administrators also want to know what patches have been installed.
Figure 4 is an example of a report that gives a complete inventory of software installed on a computer, including applications and plug-ins, as well as patches.
reports like these allow administrators to:
•ensure that the right patches and applications are installed on the right systems (and identify “bad” applications such as games, IM clients and P2P networking programs).
•Diagnose problems based on installed software and missing software.•Prepare for software upgrades and rollouts.
Figure 3: reports can show how many computers have not yet received specific patches.
Figure 4: reports show all installed software patches and applications.
9
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
IDeNtIFYINg CorrUPt oPeratINg SYSteM PatCHeSas mentioned earlier, most patch reporting systems simply look to see if patches are listed in the Windows registry, and cannot identify conditions such as errors in the registry keys, missing or corrupt files, and overwritten or deleted files. this can give administrators the illusion that devices are protected when in fact they are still vulnerable to exploitation.
Figure 5 is an example of a report that shows exactly what patches are missing on each device. In Figure 5 there is an entry labeled “CorrUPt PatCH,” indicating a patch that was partially deployed but not able to perform its function.
reports like these allow administrators to gain an accurate understanding of what computers are correctly patched and which are still vulnerable.
PatCHINg MoBIle aND reMote SYSteMSas noted earlier, many patch management systems can only monitor and patch computers attached to an internal laN or networked to the laN via a VPN connection. others don’t work effectively through a firewall, requiring organizations to position multiple servers inside the firewall and in the DMZ or remote locations.
In a highly mobile and distributed world, a far better approach is to handle monitoring, reporting and updating “in the cloud.”
Figure 6 is a diagram of how the MaaS360 Platform provides patch reporting and deployment services from a secure hosted data center. administrators can access reports and initiate patch deployments over a secure browser connection. they don’t have to deploy, manage or upgrade any servers or software inside or outside of the firewall. a hosted solution also makes it easy to scale from a few employees to thousands, and to add additional services as they are needed.
Figure 5: reports like this identify corrupt patches that are missed by most patch management systems.
10
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
By using cloud-based services, administrators can avoid situations where systems are out of sight and out of reach for hours or days because they are surfing the Internet without being connected by VPN to the corporate laN. Computers can be monitored and patched as soon as they connect to the Internet, eliminating a dangerous window of vulnerability.
PatCHINg WItHoUt MaNUal ProCeSSeS aND SCrIPtINgas noted earlier, most home-grown patching systems and many vendor products rely on time-consuming manual processes and extensive scripting to distribute and install patches. But manual processes and scripts not only require a lot of effort, they are also prone to bugs and errors, and create maintenance issues.
a well-designed patch deployment service can eliminate most of these obstacles. table 1 compares the typical operational tasks of a home-grown patching system with those needed for the MaaS360 Patch Management Service.
task With Home-grown Patch Management System
With MaaS360 Patch Management System
Differences
Monitor new patches Monitor web sites and alerts
automated Fiberlink automatically receives notifications from Microsoft when new security bulletins are released.
Detect missing patches Write scripts or run scanning tools, and then analyze the output
View reports MaaS360 distributes identification scripts to all endpoints. results are usually available in MaaS360 reports within 24 hours.
assess vulnerability review third-party assessments, run scanning tools and analyze output
View reports MaaS360 charts and reports show the number of systems missing patches and the severity of the missing patches.
Create execution packages
Write logon scripts automated MaaS360 manages thepackage execution process based on operating system version and restart policies.
11
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
task With Home-grown Patch Management System
With MaaS360 Patch Management System
Differences
Distributed packages Varies from writing scripts to using automated tools. Distribution to mobile andremote systems is usuallyunreliable
automated MaaS360 automatically distributes packages to systems missing patches,including mobile and remote systems.
Validate successful installations
Write scripts to examineregistry keys
View reports MaaS360 verifies registrykeys and also validates correct file versions. Problems are flagged as a “corrupt patch.”
ongoing monitoring run scanning tools andanalyze output
View reports MaaS360 continuouslyidentifies missing patches.
obviously, fewer tasks and more automation mean less work, faster deployments, and less risk of failure.
Figure 7 shows how easy it can be to schedule a patch deployment using a patch deployment service.
Figure 7: a patch deployment service can eliminate scripting and dramatically reduce theeffort required to distribute patches.
12
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
the MaaS360 Family of Servicesthe capabilities described in the Detailed Patch reporting and Identifying Corrupt operating System Patches discussions above are included as a part of the low-cost MaaS360® Visibility Service.
the patch deployment capabilities described in the Patching Mobile and remote Systems and Patching Without Manual Processes and Scripting sections above are available as the MaaS360 Patch Management Service, which is an add-on to the MaaS360 Visibility Service.
For organizations that want additional control, security and compliance solutions, these four reporting and deployment capabilities are included as part of the MaaS360 Control, Mobile and Compliance services.
tHe MaaS360 VISIBIlItY SerVICethe MaaS360 Visibility Service gives It and networking staffs a detailed knowledge of laptops, netbooks, distributed PCs and mobile devices. It collects and correlates data from mobile endpoints so administrators can assess installed hardware and software, identify missing patches, flag outdated anti-virus signature files, and assess the state of firewalls, anti-virus packages, data encryption, and other security applications running on the endpoints.
tHe MaaS360 CoNtrol SerVICethe MaaS360 Control Service gives It operations staffs control over laptops, and distributed PCs. It allows them to automate the processes of updating patches and anti-virus signature files, remediating security applications, applying network access controls (NaC), and reporting on compliance with corporate policies and government regulations.
tHe MaaS360 WINDoWS aPPlICatIoN UPDate SerVICethe MaaS360 Windows application Update service enables companies to identify, report on and perform remediation for a wide set of third-party Windows-compatible applications. Software vulnerabilities for products such as adobe acrobat, apple Quicktime, and Sun Java can be easily identified and patched as part of the service. this enhanced service from Fiberlink helps organizations lower security risks and improve overall management of distributed information technology infrastructures.
tHe MaaS360 MoBIle SerVICethe MaaS360 Mobile Service dramatically simplifies the support of mobile workers and devices. “road warriors” can use a single interface and a single password to connect easily to Wi-Fi, 3g, broadband and WlaN networks. a virtual global network of 101,000 access points gives enterprises an option to work with one vendor worldwide for wireless connectivity instead of a multitude of network service providers.
tHe MaaS360 HealtHCare aND FINaNCIal It CoMPlIaNCe SerVICeSthe MaaS360 Healthcare It Compliance Service and the MaaS360 Financial It Compliance Service bundle most of the features of the MaaS360 Visibility and Control Services in configurations designed to address the management and compliance needs of healthcare, life sciences, financial services, banking and insurance firms.
13
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
Summaryeveryone has patch management processes, but most are far from ideal.
the consequences include increased vulnerability, and higher management costs, higher help desk costs, and often duplicate infrastructures to handle patching inside and outside the firewall.
this white paper has looked at four capabilities related to patch management that everyone should have, but few organizations do.
these are:
1. Detailed reporting on installed patches and missing patches on PCs and laptops.2. the ability to identify “corrupt” operating system patches.3. the ability to patch mobile and remote systems.4. the ability to deploy patches without manual processes and extensive scripting.
the right reporting capabilities and a “cloud-based” architecture can help organizations:
•assess the severity of missing patches across the enterprise.•Quickly identify “problem” systems that require immediate attention.•Find information about specific systems, to help with support and upgrade processes.• Identify patterns indicating problems in the patch management process.• Identify which critical and important patches are still missing from large numbers of computers.•track the progress of patch deployments over time.•ensure that the right patches and applications are installed on the right systems.•Diagnose problems based on installed software and missing software.•Prepare for software upgrades and rollouts.• Identify “corrupt” patches and incomplete installations.•Monitor and patch mobile and remote systems as soon as they connect to the Internet.•Manage patch deployments without relying on time-consuming manual processes and extensive scripting.
14
MaaS360.com > White Paper
Patch ManagementFour Capabilities You Need (But Probably Don’t Have)
all brands and their products, featured or referred to within this document, are trademarks or registered trademarks of their respective holders and should be noted as such.
For More Informationto learn more about our technology and services visit www.maaS360.com.1787 Sentry Parkway West, Building 18, Suite 200 | Blue Bell, Pa 19422 Phone 215.664.1600 | Fax 215.664.1601 | [email protected]
WP_201109_0029
end Notes
i. IBM x-Force® 2009 trend and risk report, February 2010. http://www-03.ibm.com/press/us/en/pressrelease/29519.wss
ii. the laws of Vulnerabilities 2.0, Black Hat 2009 edition, Qualys, Inc. http://www.qualys.com/docs/laws_2.0.pdf
iii. 2009 annual Study: Cost of a Data Breach, Ponemon Institute, January 2010. http://www.encryptionreports.com/download/Ponemon_CoB_2009_US.pdf
iv. For example, the Payment Card Industry Data Security Standard (PCI-DSS) (https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-1.pdf ), DHHS HIPaa audit Compliance Checklist (http://www.training-hipaa.net/compliance/official-HIPaa-Security-Compliance-audit-checklist_document-by-DHHS.pdf), and the Federal Financial Institutions examination Council (FFIeC) Information Security Handbook (http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf).
v. Project Quant Patch Management Survey, Summary and analysis of results, august 2009. http://securosis.com/images/uploads/quant-survey-report-072709.pdf
vi. Conficker Worm: 30% Still Infected, Qualys blog, January 22, 2009. http://laws.qualys.com/lawsblog/2009/01/entry-6.html
vii. laptops and notebook sales exceeded desktop PC sales in 2005 or 2008, according to different analysts. See: laptops outsell desktops for first time, USa today, June 6, 2005. http://www.usatoday.com/tech/news/2005-06-06-laptops-outsell_x.htm and IDC: Notebooks Finally outsell Desktops in U.S., PC Magazine, october 29, 2008. http://www.pcmag.com/article2/0,2817,2333549,00.asp.
viii. 48% of employees work outside the office at least one day a week according to a Kelton research survey of 333 It staff at companies with 500+ employees, conducted for Fiberlink Communications, February, 2008.
ix. essentials of Patch Management Policy and Practice, Jason Chen, 2004, http://www.patchmanagement.org/pmessentials.asp.
