expert’s guide for effective patch management

© 2003 Spire Security. All rights reserved.

securityiSP RE

Expert’s guide for effective patch managementPete Lindstrom, CISSPResearch Director

Spire Security, [email protected]

© 2004 Spire Security. All rights reserved. 2

Agenda

Vulnerability Lifecycle

When to Patch Decision

Patch Management Process

Example + ROI

Key Criteria for Automated Patch Management



1. Vulnerability Created (latent)

2. Vulnerability Discovered

3. Vulnerability Disclosed

4. Patch Released

5. Exploit & Intrusions

6. Patches Applied


less


vulnerabilitycreated

vulnerabilitydiscovered

vulnerabilitydisclosed

patchreleased

exploit zone

patchesapplied

“responsible”disclosure

more

Time

patch zonesafe zone

bigger is better smaller is better

Can I mitigate?

FOCUS HERE


Decision: When to Patch

Too soon may lead to failures caused by the cure.

Too late may lead to compromised systems.

The answer: Compare the costs of patching/not patching and patch when it is cheaper.

“Timing the Application of Security Patches for Optimal Uptime” – Beattie et.al. http://nxnw.org/~steve/papers/lisa2002-time-to-patch.pdf


Decision Options

Am I at risk?

Can I turn it off? Can I block it?

Can I patch it?

mitigateeliminate

remediate


Timing

Virus/Worm Exploit Date Vuln Date Days

MyDoom 1/26/04 none n/a

Blaster 8/11/03 7/16/03 26 days

Sobig 8/18/03 none n/a

WebDAV 3/10/03 3/17/03* -7 days

Slammer 1/25/03 7/24/02 170 days

Slapper 9/13/02 7/30/02 45 days

Nimda 9/18/01 3/29/01 & 5/16/01

125 days

Code Red 7/16/01 6/18/01 28 days


Cost Elements

Cost to apply patches

Cost to recover from failed patches

Cost to recover from incidents and breaches


Cost to Patch

IT time to identify, assess, test, apply, validate patches.

End user lost productivity.

Risk-adjusted cost of patch failure.

Patch + r(Recover)


Cost to Not Patch

Lost productivity for the end user

Lost productivity for IT support personnel

Loss of revenue (direct)

Legal/regulatory costs

Intellectual property losses

Loss of stored assets (financial)

…all risk adjusted


Adjusting for Risk

Look at past history:o What % of systems hit in past?o What % of patches fail on what

% of systems?

Guesstimate using reasonable numbers.

Use industry averages… oh, none exist.


An Example

2,000 Systems

$70/hr IT support

1 hour to patch / 2 hours to recover

10% likelihood of patch failure

20% likelihood of compromise (pre-exploit)


A Simple Example

Pre-exploit, manual patching

Cost to Patch:o 2,000 x 70 = $140,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $154,000

Cost not to Patch:o 2,000 x 140 x 20% = $56,000

Decision: Don’t Patch


A Simple Example (2)

Post-exploit, manual patchingo Increases risk of compromise to 80%

Cost to Patch:o 2,000 x 70 = $140,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $154,000


Decision: Patch


A Simple Example (3)

Pre-exploit, automated patching

Assume 1 patch per month

Cost to Patch:o Software Costs = $48,000o 1/12 of $48k = $4,000o Fail: 10% x 2,000 x 70 = $14,000o Total cost: $18,000


Decision: Patch


A Simple Example - ROI

Compare two patch scenarios:

Manual process: $154,000

Automated process: $18,000

ROI: $136,000


Patch Management Process

Identify – new patches.

Assess – applicability to environment.

Test – patches for need and interoperability.

Apply – patches to all appropriate systems.

Review – patch progress and history.


Key Features – Automated Patch Mgt

Platform Coverage

Research Depth

Workflow

Controlled Rollout

Validation

Rollback


Platform Coverage / Research

Operating Systems

Packaged Applications

Custom Applications

Vendor Information Pass-thru

Independent Analysis

Independent Testing


Workflow

Task Assignments

Scheduling

Approval System

Connect to CRM


Controlled Rollout

Group by system type or function

Queuing of patches

Bandwidth throttling

Store and forward


Validation/Rollback

Progress report

Verify patch application

Rollback for patch failures

Final report and review


Architecture

Communications

Agent/Agentless

Push/Pull

Hierarchies/Peerso Serverso administration


Deployment Options

Scripts

Remote control solutions (Auto Update or internal)

Asset/Inventory solutions

Patch Management solutions


Patch Management Solutions

Shavlik

Ecora

Patchlink

Bigfix

Altiris

GFILanguard

http://www.ntbugtraq.com/patchresults.asp


Microsoft Options

Windows Update

Microsoft Baseline Security Advisor (MBSA)

Software Update Services (SUS)

Systems Management Server (SMS)

Office Update

Microsoft Update/SUS 2.0


For more information

Thank you for joining us today.

For more info on patch management, including an archive of this webcast and Pete’s presentation without audio, visit our Featured Topic:

searchsecurity.com/featuredtopic/patchmanagement

expert’s guide for effective patch management

Documents