accelerate patching progress in the enterprise...patch management • patches fix functional and...
TRANSCRIPT
Accelerate Patching Progress in the Enterprise
Wolfgang KandekCTO
Qualys, Inc.
Introduction
• Patch Management
• Patch Progress Data
• Common Steps
• Case Studies
• Actions
• Summary
• References
• Q&A
2
Patch Management
• Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications
• Patching is the best protection against malware infections
• Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities
• Malware toolkits allow low tech specialists to act in the market
• Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS)
• Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software
• Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to “normal” software
• Elenore, Crimepack, Liberty, El Fiesta, iPack, Blackhole
3
Patch Management
• Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications
• Patching is the best protection against malware infections
• Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities
• Malware toolkits allow low tech specialists to act in the market
• Toolkits include 5-15 vulnerabilities (Mostly Apps, some OS)
• Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software
• Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to “normal” software
• Elenore, Crimepack, Liberty, El Fiesta, iPack, Blackhole
4
Patch Management
• Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications
• Patching is the best protection against malware infections
• Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities
• Malware toolkits allow low tech specialists to act in the market
• Toolkits feature between 5-15 vulnerabilities
• Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software
• Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to “normal” software
• Elenore, Crimepack, Liberty, El Fiesta, iPack
5
Patch Management
• Patches fix functional and security problems (vulnerabilities) on Operating Systems and Applications
• Patching is the best protection against malware infections
• Malware enters mainly through web browsing and e-mail and attempts installation through known vulnerabilities
• Malware toolkits allow low tech specialists to act in the market
• Toolkits feature between 5-15 vulnerabilities
• Toolkit generated malware has a success rate between 5% and 30% and bypasses typical AV software
• Cost is between 500-5000 US$ and vendors charge for maintenance and new versions similar to “normal” software
• Elenore, Crimepack, Liberty, El Fiesta, iPack
6
Patch Management
• Average desktop machine requires monthly patches to be current and robust
• Sample numbers of security patches in 2009:
– Adobe: 19 bulletins
– Apple: 34 security updates
– Microsoft: 74 bulletins
– RedHat: 124 advisories
• Numbers are growing:
• Microsoft already has had 84 advisories in 2010
• ZDI reported increasing number of collisions on vulnerability submissions (see Top 20 Cyber Security Risks Report)
7
Patch Progress - Laws of Vulnerabilities
• Worldwide coverage – 2009
• 80M IPs scanned, 680M vulnerabilities
• 72M+ vulnerabilities of critical severity
• External (Internet) and Internal (Intranet)
– 200 external scanners and 5000+ internal scanners
• Data is anonymous and non traceable
– Simple counters are kept during scanning
– Summarized and logged daily
• Trends by Industry Area and Application Type
– 5 major industries
– Operating System and Applications
8
Laws of Vulnerabilities 2.0 – Half-Life
0
20
40
60
80
100
120
140
Overall Critical Vulnerabilities – 72M data points
Half-Life = 29.5 days
9
Laws 2.0 – Half-Life - 2009
0
20
40
60
80
100
120
0 10 20 30 40 50 60 70 80 90 100 110
P
e
r
c
e
n
t
Days
Microsoft OS vulnerabilities
0
20
40
60
80
100
120
0 10 20 30 40 50 60 70 80 90 100 110 120
P
e
r
c
e
n
t
Days
Adobe Acrobat APSA09-1 & APSA09-02
0
20
40
60
80
100
120
0 5 10 15 20 25 30 35 40 45 50 55 60
P
e
r
c
e
n
t
Days
MS09-017 - Powerpoint - 5/12/2009
10
Patch Progress Data
Patch Progress uneven
Industries
Applications
1
1
Source: Project Quant - Securosis
Patch Management – Common Steps
• Intelligence – Monitoring
– NVD, Secunia, Symantec, US CERT, Verisign
– Vendors: Adobe, Apple, Microsoft, Oracle, RedHat
• Testing
– Internal Lab
– First and Second Adopters Group
• Deployment
– Automation
– Agent based: BigFix, Lumension, Microsoft WSUS (Eminent, Secunia for non Microsoft)
– Remote: Shavlik
• Verification
1
2
Case Study 1
• Media company - 10,000+ IPs under Management
• Windows and Macintosh Workstations
– 10 days for critical OS and Application patches
• Backend Infrastructure
– 30 days (database, applications)
• Quality Assurance
– Phase 1 – “volunteers” < 1 % - day 2
– Phase 2 – 10 % day 3 and 4
– Phase 3 – 100 % starts day 5
1
3
Case Study 2
• High-tech company - 200+ IPs under Management
• Windows Workstations - thin clients and laptops
– 4 days for critical OS and Application patches
• Backend Infrastructure - Windows
– 10 days (database, applications)
• Quality Assurance
– One Phase – internal testing
1
4
Case Study 3
• Technology - 300,000+ IPs under Management
• Windows Workstations
– 8 days for critical OS and Office patches
• Backend Infrastructure
– 30 days (database, applications)
• Quality Assurance
– Phase 1 – 1 % - day 1
– Phase 2 – 10 % day 2 and 3
– Phase 3 – 100 % starts day 4
1
5
Common Characteristics
• Accurate Inventory challenging
• Traditional defenses taxed
– Firewall, IPS – increasingly mobile systems
– AV – Anti Malware – signature quantity and freshness
• Attacker competence rising
– Professionally driven, profit oriented
– Division of labor with specialization
– Exploit availability now measured in days, 0-day has become a common term
– Targeted Attacks
• Multiple OS and Application platforms
1
6
Common Characteristics
Divide and Conquer
Vertical Partitioning
Workstations = streamlined testing, fast patching
Servers = longer test cycles, normal patching
Slow patching on request -> additional security techniques
– Stringent Firewalling
– Bastion Hosts
– IPS systems
1
7
Common Characteristics
Horizontal Partitioning
Internet Explorer = streamlined testing, fast patching
Adobe Reader = streamlined testing, fast patching
Office Applications = streamlined testing, fast patching
Servers = longer test cycles, normal patching
Slow patching on request -> additional security techniques
– Stringent Firewalling
– Bastion Hosts
– IPS systems
Patch prioritization tools- Superseded patches, IPS integration
1
8
Actions
Local:• Get an Accurate Inventory with Network Mapping Tools
• Use an Automated Patch System
• Minimize installed software, alternate versions
• Investigate autonomous patching
• Verify successful application of patches
• Develop a strategy for mobile systems
Global:• Contact Microsoft, request Distribution of 3rd party patches
• start with Adobe, then Oracle (Java) and Apple
1
9
Up and Coming
• Virtualization
– Additional vulnerabilities, Dormant VM patching
– VDI, application streaming
• Autonomous Applications
– Firefox autonomous patching
– Chrome with silent patching
– Adobe Reader, automatic patching
• Smartphones, Tablets
• Enduser owned systems
2
0
Summary
• Diversity and Mobility of IT devices increasing
• Vulnerability/Exploit cycle accelerating
• Standard defenses stressed
• Patching, a fundamental protection
• Fast patching a challenge to many companies
• Accurate Inventory, an automated Patch system and a trustworthy verification system are key to a successful patching program
2
1
References
• Exploits – kits and speeduphttp://contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.htmlhttp://isc.sans.org/diary.html?storyid=8437http://vrt-sourcefire.blogspot.com/2010/03/apt-should-your-panties-be-in-bunch-and.html
• Project Quanthttp://www.securosis.com/research/project-quant
• Patch Management Communityhttp://www.patchmanagement.org
• Qualys Laws of Vulnerabilities 2.0 http://laws.qualys.com
• Secunia – Security Exposure of Software Portfolioshttp://secunia.com/gfx/pdf/Secunia_RSA_Software_Portfolio_Security_Exposure.pdf
• Top 20 Cyber Security Riskshttp://dvlabs.tippingpoint.com/toprisks2010
2
2
Q&A
Thank You
http://laws.qualys.com
http://twitter.com/wkandek
2
3
Thank you!
Wolfgang KandekCTO
Qualys, Inc.