© 2003 spire security. all rights reserved. security i spre expert’s guide for effective patch...
TRANSCRIPT
© 2003 Spire Security. All rights reserved.
securityiSP RE
Expert’s guide for effective patch managementPete Lindstrom, CISSPResearch Director
Spire Security, [email protected]
© 2004 Spire Security. All rights reserved. 2
Agenda
Vulnerability Lifecycle
When to Patch Decision
Patch Management Process
Example + ROI
Key Criteria for Automated Patch Management
© 2004 Spire Security. All rights reserved. 3
Vulnerability Lifecycle
1. Vulnerability Created (latent)
2. Vulnerability Discovered
3. Vulnerability Disclosed
4. Patch Released
5. Exploit & Intrusions
6. Patches Applied
© 2004 Spire Security. All rights reserved. 4
less
Vulnerability Lifecycle
vulnerabilitycreated
vulnerabilitydiscovered
vulnerabilitydisclosed
patchreleased
exploit zone
patchesapplied
“responsible”disclosure
more
Time
patch zonesafe zone
bigger is better smaller is better
Can I mitigate?
FOCUS HERE
© 2004 Spire Security. All rights reserved. 5
Decision: When to Patch
Too soon may lead to failures caused by the cure.
Too late may lead to compromised systems.
The answer: Compare the costs of patching/not patching and patch when it is cheaper.
“Timing the Application of Security Patches for Optimal Uptime” – Beattie et.al. http://nxnw.org/~steve/papers/lisa2002-time-to-patch.pdf
© 2004 Spire Security. All rights reserved. 6
Decision Options
Am I at risk?
Can I turn it off? Can I block it?
Can I patch it?
mitigateeliminate
remediate
© 2004 Spire Security. All rights reserved. 7
Timing
Virus/Worm Exploit Date Vuln Date Days
MyDoom 1/26/04 none n/a
Blaster 8/11/03 7/16/03 26 days
Sobig 8/18/03 none n/a
WebDAV 3/10/03 3/17/03* -7 days
Slammer 1/25/03 7/24/02 170 days
Slapper 9/13/02 7/30/02 45 days
Nimda 9/18/01 3/29/01 & 5/16/01
125 days
Code Red 7/16/01 6/18/01 28 days
© 2004 Spire Security. All rights reserved. 8
Cost Elements
Cost to apply patches
Cost to recover from failed patches
Cost to recover from incidents and breaches
© 2004 Spire Security. All rights reserved. 9
Cost to Patch
IT time to identify, assess, test, apply, validate patches.
End user lost productivity.
Risk-adjusted cost of patch failure.
Patch + r(Recover)
© 2004 Spire Security. All rights reserved. 10
Cost to Not Patch
Lost productivity for the end user
Lost productivity for IT support personnel
Loss of revenue (direct)
Legal/regulatory costs
Intellectual property losses
Loss of stored assets (financial)
…all risk adjusted
© 2004 Spire Security. All rights reserved. 11
Adjusting for Risk
Look at past history:o What % of systems hit in past?o What % of patches fail on what
% of systems?
Guesstimate using reasonable numbers.
Use industry averages… oh, none exist.
© 2004 Spire Security. All rights reserved. 12
An Example
2,000 Systems
$70/hr IT support
1 hour to patch / 2 hours to recover
10% likelihood of patch failure
20% likelihood of compromise (pre-exploit)
© 2004 Spire Security. All rights reserved. 13
A Simple Example
Pre-exploit, manual patching
Cost to Patch:o 2,000 x 70 = $140,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $154,000
Cost not to Patch:o 2,000 x 140 x 20% = $56,000
Decision: Don’t Patch
© 2004 Spire Security. All rights reserved. 14
A Simple Example (2)
Post-exploit, manual patchingo Increases risk of compromise to 80%
Cost to Patch:o 2,000 x 70 = $140,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $154,000
Cost not to Patch:o 2,000 x 140 x 80% = $224,000
Decision: Patch
© 2004 Spire Security. All rights reserved. 15
A Simple Example (3)
Pre-exploit, automated patching
Assume 1 patch per month
Cost to Patch:o Software Costs = $48,000o 1/12 of $48k = $4,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $18,000
Cost not to Patch:o 2,000 x 140 x 20% = $56,000
Decision: Patch
© 2004 Spire Security. All rights reserved. 16
A Simple Example - ROI
Compare two patch scenarios:
Manual process: $154,000
Automated process: $18,000
ROI: $136,000
© 2004 Spire Security. All rights reserved. 17
Patch Management Process
Identify – new patches.
Assess – applicability to environment.
Test – patches for need and interoperability.
Apply – patches to all appropriate systems.
Review – patch progress and history.
© 2004 Spire Security. All rights reserved. 18
Key Features – Automated Patch Mgt
Platform Coverage
Research Depth
Workflow
Controlled Rollout
Validation
Rollback
© 2004 Spire Security. All rights reserved. 19
Platform Coverage / Research
Operating Systems
Packaged Applications
Custom Applications
Vendor Information Pass-thru
Independent Analysis
Independent Testing
© 2004 Spire Security. All rights reserved. 20
Workflow
Task Assignments
Scheduling
Approval System
Connect to CRM
© 2004 Spire Security. All rights reserved. 21
Controlled Rollout
Group by system type or function
Queuing of patches
Bandwidth throttling
Store and forward
© 2004 Spire Security. All rights reserved. 22
Validation/Rollback
Progress report
Verify patch application
Rollback for patch failures
Final report and review
© 2004 Spire Security. All rights reserved. 23
Architecture
Communications
Agent/Agentless
Push/Pull
Hierarchies/Peerso Serverso administration
© 2004 Spire Security. All rights reserved. 24
Deployment Options
Scripts
Remote control solutions (Auto Update or internal)
Asset/Inventory solutions
Patch Management solutions
© 2004 Spire Security. All rights reserved. 25
Patch Management Solutions
Shavlik
Ecora
Patchlink
Bigfix
Altiris
GFILanguard
http://www.ntbugtraq.com/patchresults.asp
© 2004 Spire Security. All rights reserved. 26
Microsoft Options
Windows Update
Microsoft Baseline Security Advisor (MBSA)
Software Update Services (SUS)
Systems Management Server (SMS)
Office Update
Microsoft Update/SUS 2.0
© 2004 Spire Security. All rights reserved. 28
For more information
Thank you for joining us today.
For more info on patch management, including an archive of this webcast and Pete’s presentation without audio, visit our Featured Topic:
searchsecurity.com/featuredtopic/patchmanagement