Expert'sguideforeffectivepatchmanagement

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level, 2004 Spire Security. All rights reserved.,*,Experts guide for effective patch management,Pete Lindstrom, CISSP,Research Director,Spire Security, LLC,Agenda,Vulnerability Lifecycle,When to Patch Decision,Patch Management Process,Example + ROI,Key Criteria for Automated Patch Management,2,Vulnerability Lifecycle,Vulnerability Created (latent),Vulnerability Discovered,Vulnerability Disclosed,Patch Released,Exploit & Intrusions,Patches Applied,3,less,Vulnerability Lifecycle,vulnerability,created,vulnerability,discovered,vulnerability,disclosed,patch,released,exploit zone,patches,applied,“responsible”,disclosure,more,Time,patch zone,safe zone,bigger is better,smaller is better,Can I mitigate?,FOCUS HERE,4,Decision: When to Patch,Too soon may lead to failures caused by the cure.,Too late may lead to compromised systems.,The answer: Compare the costs of patching/not patching and patch when it is cheaper.,“Timing the Application of Security Patches for Optimal Uptime” Beattie et.al.,5,Decision Options,Am I at risk?,Can I turn it off?,Can I block it?,Can I patch it?,mitigate,eliminate,remediate,6,Timing,Virus/Worm,Exploit Date,Vuln Date,Days,MyDoom,1/26/04,none,n/a,Blaster,8/11/03,7/16/03,26 days,Sobig,8/18/03,none,n/a,WebDAV,3/10/03,3/17/03*,-7 days,Slammer,1/25/03,7/24/02,170 days,Slapper,9/13/02,7/30/02,45 days,Nimda,9/18/01,3/29/01 & 5/16/01,125 days,Code Red,7/16/01,6/18/01,28 days,7,Cost Elements,Cost to apply patches,Cost to recover from failed patches,Cost to recover from incidents and breaches,8,Cost to Patch,IT time to identify, assess, test, apply, validate patches.,End user lost productivity.,Risk-adjusted cost of patch failure.,Patch +,r,(Recover),9,Cost to Not Patch,Lost productivity for the end user,Lost productivity for IT support personnel,Loss of revenue (direct),Legal/regulatory costs,Intellectual property losses,Loss of stored assets (financial),all risk adjusted,10,Adjusting for Risk,Look at past history:,What % of systems hit in past?,What % of patches fail on what % of systems?,Guesstimate using reasonable numbers.,Use industry averages oh, none exist.,11,An Example,2,000 Systems,$70/hr IT support,1 hour to patch / 2 hours to recover,10% likelihood of patch failure,20% likelihood of compromise (pre-exploit),12,A Simple Example,Pre-exploit, manual patching,Cost to Patch:,2,000 x 70 = $140,000,Fail: 10% x 2,000 x 70 = $14,000,Total cost: $154,000,Cost not to Patch:,2,000 x 140 x 20% = $56,000,Decision: Dont Patch,13,A Simple Example (2),Post-exploit, manual patching,Increases risk of compromise to 80%,Cost to Patch:,2,000 x 70 = $140,000,Fail: 10% x 2,000 x 70 = $14,000,Total cost: $154,000,Cost not to Patch:,2,000 x 140 x 80% = $224,000,Decision: Patch,14,A Simple Example (3),Pre-exploit, automated patching,Assume 1 patch per month,Cost to Patch:,Software Costs = $48,000,1/12 of $48k = $4,000,Fail: 10% x 2,000 x 70 = $14,000,Total cost: $18,000,Cost not to Patch:,2,000 x 140 x 20% = $56,000,Decision: Patch,15,A Simple Example - ROI,Compare two patch scenarios:,Manual process: $154,000,Automated process: $18,000,ROI: $136,000,16,Patch Management Process,Identify new patches.,Assess applicability to environment.,Test patches for need and interoperability.,Apply patches to all appropriate systems.,Review patch progress and history.,17,Key Features Automated Patch Mgt,Platform Coverage,Research Depth,Workflow,Controlled Rollout,Validation,Rollback,18,Platform Coverage / Research,Operating Systems,Packaged Applications,Custom Applications,Vendor Information Pass-thru,Independent Analysis,Independent Testing,19,Workflow,Task Assignments,Scheduling,Approval System,Connect to CRM,20,Controlled Rollout,Group by system type or function,Queuing of patches,Bandwidth throttling,Store and forward,21,Validation/Rollback,Progress report,Verify patch application,Rollback for patch failures,Final report and review,22,Architecture,Communications,Agent/Agentless,Push/Pull,Hierarchies/Peers,Servers,administration,23,Deployment Options,Scripts,Remote control solutions (Auto Update or internal),Asset/Inventory solutions,Patch Management solutions,24,Patch Management Solutions,Shavlik,Ecora,Patchlink,Bigfix,Altiris,GFILanguard,25,Microsoft Options,Windows Update,Microsoft Baseline Security Advisor (MBSA),Software Update Services (SUS),Systems Management Server (SMS),Office Update,Microsoft Update/SUS 2.0,26,Pete Lindstrom,Agree?,Disagree?,For more information,Thank you for joining us today.,For more info on patch management, including an archive of this webcast and Petes presentation without audio, visit our Featured Topic:,