Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patch Management Strategy

Published byMoses Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "Patch Management Strategy"— Presentation transcript:

1 Patch Management Strategy
Ken DeJarnette, Deloitte Principal Mike Simpson, Deloitte Senior Manager

2 Challenges in the IT Environment
Multi-platform environments Segmented networks Global distributed networks Custom applications Operations and management Localization problems Standardization Tools Audit and tracking Volume of patches

3 Legal and Regulatory Factors
Gramm-Leach-Bliley Act (GLB) HIPAA California - SB1386 Sarbanes Oxley Act Future trends for security & privacy

4 Patch Management Challenge
How do you know if you have an effective patch management strategy? Are the correct servers patched? Is the patch correctly applied? Does it conflict with other patches? Will it impact other server components and reliability?

5 Patch Management Overview
Process Improvement Patch Development Patch Monitoring Patch Management Process Deployment Auditing & Compliance Evaluate environment, risk, and needs Assign Teams responsibility Plan release Release development Acceptance testing Rollback planning Integrating with other processes Rollout planning / preparation Deployment mechanism Release deployment Review Document Optimize Microsoft Patches Correction Packaging Subscribe Monitor ROI Vulnerability Discovered Vulnerability lifecycle Patch Deployed

6 People, Process, Technology Effective Attributes of Effective Patch Management
Well documented Clear guidance Repeatable Proactive Integrated Reduce risk Reduce operating costs Increase productivity Increase security Increase quality Process Technology People Security Awareness Enablers / Contributors Compliance

7 People in Patch Management
Architects Server Admins App Admins Security Teams Dev,Release,NOC IT Managers Set Standards Provision Systems Provision Apps Patch Systems Manage Change Report & Plan Patch Management Processes Change History & Asset Tracking Policies & Guidelines Evaluate & Test Deployment Seattle Datacenter Tampa Datacenter

8 Technology in Patch Management
Microsoft Tools SMS SUS MBSA Windows Update Microsoft Product Enhancements VPN Network Quarantine Microsoft Guidance MOF Microsoft Guide to Security Patch Management

9 Process in Patch Management
Patch management is a subset of: Change Management Release Management Additional process considerations: Configuration Management Security Administration System Administration Network Administration Service Monitoring and Control Job Scheduling Problem Management

10 Patch Management Strategies
Patch management strategies should include: Policies and Standards Risk management methodology Change and release management strategies Patch evaluation & prioritization strategy Exception management strategy Asset tracking Know the current state of the environment Software, configurations, and patch levels Enable cost analysis Reporting strategy Testing and validation strategy (Monitoring / Auditing)

11 Risk Management Process
Identify Analyze Risk Assessment Documentation (Top n Risks) Retired Risks List Control Plan Track

12 Example – Policies & Standards
Sample patch management standard – patch filtering and analysis process An exploit must be ‘remote’ rather than ‘local’ (i.e. you do not need console access or an account on the server to exploit it). The patch must address an exploit that is ‘in the wild’ and not merely theoretical. A respected authority (e.g. the FBI/NPIC or Microsoft) has released a warning about the security problem and customers will likely be concerned about it. The patch must have a non-trivial impact on the overall security of the computer. (e.g. a DoS patch might not be needed if a load balancer could mitigate the problem)

13 Prioritizing and Scheduling the Release
* Available in the Microsoft Guide to Security Patch Management

14 How Mature is Your Process?
Maturity Scale Progress Maturity Optimization Integration MINIMUM DESIRED MATURITY LEVEL Maturity of operational processes Repeatability Control Awareness Startup Initiation Time  Over time IT operations should scale to ensure Availability, Reliability, & Trust

15 Strategy Summary No matter the size or complexity your organization in order to: Reduce Risk Reduce operating costs Increase productivity Increase security Increase quality …You must begin with process Automation of processes becomes necessary with complexity

16 A member firm of Deloitte Touche Tohmatsu ©2003 Deloitte & Touche USA LLP. All rights reserved.

Download ppt "Patch Management Strategy"

Similar presentations

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
ITIL: Service Transition

ITIL: Service Transition
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Integrated IT Service Management

Integrated IT Service Management
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW Understand the difference between service.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.

11 MAINTAINING THE OPERATING SYSTEM Chapter 5. Chapter 5: MAINTAINING THE OPERATING SYSTEM2 CHAPTER OVERVIEW  Understand the difference between service.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.

Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google