© 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire.

Slides:



Advertisements
Similar presentations
IR Confidential & Proprietary Do Not Distribute Our Proposed IT Strategy (2006 – 2011) Developing Optimal IT Strategy Through Business Context, Applications,
Advertisements

SolidWorks Enterprise PDM Data Loading Strategies
Network Access Protection & Network Admission Control March 10, 2005 Teerapol Tuanpusa Network Consultant Cisco Systems Thailand Jirat Boomuang Technology.
Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13
Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)
SACM Terminology Nancy Cam-Winget, David Waltermire, March.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
© 2004 Spire Security, LLC. All rights reserved. security i SPRE Security Measures & Metrics Pete Lindstrom, CISSP Research Director Spire Security, LLC.
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Rational Unified Process
Operational MS Tibor Kolejak Regional IT Site Manger Microsoft Czech Republic Tibor Kolejak Regional IT Site Manger Microsoft Czech Republic.
Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. How IT is affected by Sarbanes-Oxley Act.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Patch Management Strategy
IT:Network:Microsoft Applications
Patch Management and HFNetChkPro 4.0
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Security Measures and Metrics
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
COMP-14: Automating your deployments using ANT Gary S Clink Business Consultant.
Raven Services Update December 2003 David Wallis Senior Systems Consultant Raven Computers Ltd.
© 2004 Spire Security, LLC. All rights reserved. security i SPRE Security Measures & Metrics Pete Lindstrom, CISSP Research Director Spire Security, LLC.
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.
Building an Agile Datacenter with Deployment Standards Jonathan Richey | Director of Development | Altiris Sam Rosenbalm | Director of Microsoft Alliance.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
SAM for Virtualizatio n Presenter Name. Virtualization: a key priority for business decision makers Technavio forecasts that the global virtualization.
Systems Management Server 2.0: Backup and Recovery Overview SMS Recovery Web Site location: Updated.
4/24/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Paul Butterworth Management Technology Architect
Fifth Lecture Hour 9:30 – 10:20 am, September 9, 2001 Framework for a Software Management Process – Life Cycle Phases (Part II, Chapter 5 of Royce’ book)
1 Microsoft Project Solution Offerings and the next chapter of EPM September 17th, 2003 Brendan Giles, PMP Systemgroup Management Services.
ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител
Microsoft Management Seminar Series SMS 2003 Change Management.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Advancing Security Progress and Commitment Stuart Okin Chief Security Advisor – Microsoft UK Delivering on security (an update on progress)
Managing your IT Environment. Microsoft Operations Manager 2005 Overview.
Microsoft EMEA Retail Technology Conference 2004 Microsoft EMEA Retail Technology Conference 2004 System Management in Store Willem Haring
Connecting the dots … between Finance and Operations in Telecoms Don van Splunteren VP Sales, NAAP Global Solutions.
Microsoft Deployment Workshop Deploying Office 2003 Editions Joe Liptrot Linkpad Limited.
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
IBM Control Desk Enabling the Enterprise App Store –
GFI LANguard Matt Norris Dave Hone Chris Gould. GFI LANguard: Description Through the performances of the three (3) cornerstones of vulnerability management:
© Cloud Security Alliance, 2015 March 2, Agenda © Cloud Security Alliance, 2015 The SecaaS Working Group Recent Activity Charter Category outline/templates.
Internal developer tools and bug tracking Arabic / Hebrew Windows 3.1Win95 Japanese Word, OneNote, Outlook
Workflow Best Practices (and Mistakes to Avoid) Mike Fitzmaurice VP – Workflow Technology
Planning Engagement Kickoff
Security Budgets: Getting What You Need
Patch Management Patch Management Best Practices
Self-service enrollment for Windows desktops
THE RISKS OF ‘NOT’ PATCHING…
5/12/2019 2:57 PM © Microsoft Corporation. All rights reserved.
Security in the Real World – Plenary Day One
Implementing Security Patch Management
Presentation transcript:

© 2003 Spire Security. All rights reserved. security i SPRE Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire Security, LLC

© 2004 Spire Security. All rights reserved. 2 Agenda  Vulnerability Lifecycle  When to Patch Decision  Patch Management Process  Example + ROI  Key Criteria for Automated Patch Management

© 2004 Spire Security. All rights reserved. 3 Vulnerability Lifecycle 1.Vulnerability Created (latent) 2.Vulnerability Discovered 3.Vulnerability Disclosed 4.Patch Released 5.Exploit & Intrusions 6.Patches Applied

© 2004 Spire Security. All rights reserved. 4 less Vulnerability Lifecycle vulnerability created vulnerability discovered vulnerability disclosed patch released exploit zone patches applied “responsible” disclosure more Time patch zonesafe zone bigger is bettersmaller is better Can I mitigate? FOCUS HERE

© 2004 Spire Security. All rights reserved. 5 Decision: When to Patch  Too soon may lead to failures caused by the cure.  Too late may lead to compromised systems.  The answer: Compare the costs of patching/not patching and patch when it is cheaper.  “Timing the Application of Security Patches for Optimal Uptime” – Beattie et.al.

© 2004 Spire Security. All rights reserved. 6 Decision Options Am I at risk? Can I turn it off?Can I block it? Can I patch it? mitigateeliminate remediate

© 2004 Spire Security. All rights reserved. 7 Timing Virus/WormExploit DateVuln DateDays MyDoom1/26/04nonen/a Blaster8/11/037/16/0326 days Sobig8/18/03nonen/a WebDAV3/10/033/17/03*-7 days Slammer1/25/037/24/02170 days Slapper9/13/027/30/0245 days Nimda9/18/013/29/01 & 5/16/ days Code Red7/16/016/18/0128 days

© 2004 Spire Security. All rights reserved. 8 Cost Elements  Cost to apply patches  Cost to recover from failed patches  Cost to recover from incidents and breaches

© 2004 Spire Security. All rights reserved. 9 Cost to Patch  IT time to identify, assess, test, apply, validate patches.  End user lost productivity.  Risk-adjusted cost of patch failure.  Patch + r(Recover)

© 2004 Spire Security. All rights reserved. 10 Cost to Not Patch  Lost productivity for the end user  Lost productivity for IT support personnel  Loss of revenue (direct)  Legal/regulatory costs  Intellectual property losses  Loss of stored assets (financial) …all risk adjusted

© 2004 Spire Security. All rights reserved. 11 Adjusting for Risk  Look at past history: oWhat % of systems hit in past? oWhat % of patches fail on what % of systems?  Guesstimate using reasonable numbers.  Use industry averages… oh, none exist.

© 2004 Spire Security. All rights reserved. 12 An Example  2,000 Systems  $70/hr IT support  1 hour to patch / 2 hours to recover  10% likelihood of patch failure  20% likelihood of compromise (pre-exploit)

© 2004 Spire Security. All rights reserved. 13 A Simple Example  Pre-exploit, manual patching  Cost to Patch: o2,000 x 70 = $140,000 oFail: 10% x 2,000 x 70 = $14,000 oTotal cost: $154,000  Cost not to Patch: o2,000 x 140 x 20% = $56,000  Decision: Don’t Patch

© 2004 Spire Security. All rights reserved. 14 A Simple Example (2)  Post-exploit, manual patching oIncreases risk of compromise to 80%  Cost to Patch: o2,000 x 70 = $140,000 oFail: 10% x 2,000 x 70 = $14,000 oTotal cost: $154,000  Cost not to Patch: o2,000 x 140 x 80% = $224,000  Decision: Patch

© 2004 Spire Security. All rights reserved. 15 A Simple Example (3)  Pre-exploit, automated patching  Assume 1 patch per month  Cost to Patch: oSoftware Costs = $48,000 o1/12 of $48k = $4,000 oFail: 10% x 2,000 x 70 = $14,000 oTotal cost: $18,000  Cost not to Patch: o2,000 x 140 x 20% = $56,000  Decision: Patch

© 2004 Spire Security. All rights reserved. 16 A Simple Example - ROI  Compare two patch scenarios:  Manual process: $154,000  Automated process: $18,000  ROI: $136,000

© 2004 Spire Security. All rights reserved. 17 Patch Management Process  Identify – new patches.  Assess – applicability to environment.  Test – patches for need and interoperability.  Apply – patches to all appropriate systems.  Review – patch progress and history.

© 2004 Spire Security. All rights reserved. 18 Key Features – Automated Patch Mgt  Platform Coverage  Research Depth  Workflow  Controlled Rollout  Validation  Rollback

© 2004 Spire Security. All rights reserved. 19 Platform Coverage / Research  Operating Systems  Packaged Applications  Custom Applications  Vendor Information Pass-thru  Independent Analysis  Independent Testing

© 2004 Spire Security. All rights reserved. 20 Workflow  Task Assignments  Scheduling  Approval System  Connect to CRM

© 2004 Spire Security. All rights reserved. 21 Controlled Rollout  Group by system type or function  Queuing of patches  Bandwidth throttling  Store and forward

© 2004 Spire Security. All rights reserved. 22 Validation/Rollback  Progress report  Verify patch application  Rollback for patch failures  Final report and review

© 2004 Spire Security. All rights reserved. 23 Architecture  Communications  Agent/Agentless  Push/Pull  Hierarchies/Peers oServers oadministration

© 2004 Spire Security. All rights reserved. 24 Deployment Options  Scripts  Remote control solutions (Auto Update or internal)  Asset/Inventory solutions  Patch Management solutions

© 2004 Spire Security. All rights reserved. 25 Patch Management Solutions  Shavlik  Ecora  Patchlink  Bigfix  Altiris  GFILanguard

© 2004 Spire Security. All rights reserved. 26 Microsoft Options  Windows Update  Microsoft Baseline Security Advisor (MBSA)  Software Update Services (SUS)  Systems Management Server (SMS)  Office Update  Microsoft Update/SUS 2.0

© 2003 Spire Security. All rights reserved. security i SPRE Pete Lindstrom Agree? Disagree?

© 2004 Spire Security. All rights reserved. 28 For more information Thank you for joining us today. For more info on patch management, including an archive of this webcast and Pete’s presentation without audio, visit our Featured Topic: searchsecurity.com/featuredtopic/patchmanagement