Patch Management Strategy

Slides:



Advertisements
Similar presentations
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Advertisements

ITIL: Service Transition
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Payment Card Industry (PCI) Data Security Standard
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Information Systems Controls for System Reliability -Information Security-
Integrated IT Service Management
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
IT:Network:Microsoft Applications
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SecureAware Building an Information Security Management System.
Security and Privacy Services Cloud computing point of view October 2012.
HIPAA COMPLIANCE WITH DELL
Supporting tools in an IT Project & Portfolio Management environment Ann Van Belle -
Microsoft ® System Center Operations Manager 2007 Infrastructure Planning and Design Published: June 2008 Updated: July 2010.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
Successful Deployment and Solid Management … Close Relatives Tim Sinclair, General Manager, Windows Enterprise Management.
Dell Connected Security Solutions Simplify & unify.
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Module 14: Configuring Server Security Compliance
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Module 5: Designing a Terminal Services Infrastructure.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
The Infrastructure Optimization Journey Kamel Abu Ayash Microsoft Corporation.
Engineering Essential Characteristics Security Engineering Process Overview.
Paul Butterworth Management Technology Architect
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Microsoft Management Seminar Series SMS 2003 Change Management.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Evolution not revolution Trends in Compliance functions Kirsty Searles.
DATA MANAGEMENT AND IT IN BA/BE STUDIES DR. SHIVPRAKASH MANAGING DIRECTOR SYNCHRON RESEARCH SERVICES PVT. LTD., INDIA.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Changing IT Managing Networks in a New Reality Alex Bakman Founder and CEO Ecora Software.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Data Architecture World Class Operations - Impact Workshop.
Compliance with hardening standards
Making Information Security Manageable with GRC
How can metros and municipalities operate to ensure that revenue generated from electricity sales is sustainable? by Dr Minnesh Bipath and Dr Willie de.
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Applied Security Strategies
Automating Security in the Cloud
IS4680 Security Auditing for Compliance
5/12/2019 2:57 PM © Microsoft Corporation. All rights reserved.
Security in the Real World – Plenary Day One
Presentation transcript:

Patch Management Strategy Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager

Challenges in the IT Environment Multi-platform environments Segmented networks Global distributed networks Custom applications Operations and management Localization problems Standardization Tools Audit and tracking Volume of patches

Legal and Regulatory Factors Gramm-Leach-Bliley Act (GLB) HIPAA California - SB1386 Sarbanes Oxley Act Future trends for security & privacy

Patch Management Challenge How do you know if you have an effective patch management strategy? Are the correct servers patched? Is the patch correctly applied? Does it conflict with other patches? Will it impact other server components and reliability?

Patch Management Overview Process Improvement Patch Development Patch Monitoring Patch Management Process Deployment Auditing & Compliance Evaluate environment, risk, and needs Assign Teams responsibility Plan release Release development Acceptance testing Rollback planning Integrating with other processes Rollout planning / preparation Deployment mechanism Release deployment Review Document Optimize Microsoft Patches Correction Packaging Subscribe Monitor ROI Vulnerability Discovered Vulnerability lifecycle Patch Deployed

People, Process, Technology Effective Attributes of Effective Patch Management Well documented Clear guidance Repeatable Proactive Integrated Reduce risk Reduce operating costs Increase productivity Increase security Increase quality Process Technology People Security Awareness Enablers / Contributors Compliance

People in Patch Management Architects Server Admins App Admins Security Teams Dev,Release,NOC IT Managers Set Standards Provision Systems Provision Apps Patch Systems Manage Change Report & Plan Patch Management Processes Change History & Asset Tracking Policies & Guidelines Evaluate & Test Deployment Seattle Datacenter Tampa Datacenter

Technology in Patch Management Microsoft Tools SMS SUS MBSA Windows Update Microsoft Product Enhancements VPN Network Quarantine Microsoft Guidance MOF Microsoft Guide to Security Patch Management

Process in Patch Management Patch management is a subset of: Change Management Release Management Additional process considerations: Configuration Management Security Administration System Administration Network Administration Service Monitoring and Control Job Scheduling Problem Management

Patch Management Strategies Patch management strategies should include: Policies and Standards Risk management methodology Change and release management strategies Patch evaluation & prioritization strategy Exception management strategy Asset tracking Know the current state of the environment Software, configurations, and patch levels Enable cost analysis Reporting strategy Testing and validation strategy (Monitoring / Auditing)

Risk Management Process Identify Analyze Risk Assessment Documentation (Top n Risks) Retired Risks List Control Plan Track

Example – Policies & Standards Sample patch management standard – patch filtering and analysis process An exploit must be ‘remote’ rather than ‘local’ (i.e. you do not need console access or an account on the server to exploit it). The patch must address an exploit that is ‘in the wild’ and not merely theoretical. A respected authority (e.g. the FBI/NPIC or Microsoft) has released a warning about the security problem and customers will likely be concerned about it. The patch must have a non-trivial impact on the overall security of the computer. (e.g. a DoS patch might not be needed if a load balancer could mitigate the problem)

Prioritizing and Scheduling the Release * Available in the Microsoft Guide to Security Patch Management

How Mature is Your Process? Maturity Scale Progress Maturity Optimization Integration MINIMUM DESIRED MATURITY LEVEL Maturity of operational processes Repeatability Control Awareness Startup Initiation Time  Over time IT operations should scale to ensure Availability, Reliability, & Trust

Strategy Summary No matter the size or complexity your organization in order to: Reduce Risk Reduce operating costs Increase productivity Increase security Increase quality …You must begin with process Automation of processes becomes necessary with complexity

A member firm of Deloitte Touche Tohmatsu ©2003 Deloitte & Touche USA LLP. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.