1 / 28

Expert’s guide for effective patch management

Expert’s guide for effective patch management. Pete Lindstrom, CISSP Research Director Spire Security, LLC www.spiresecurity.com petelind@spiresecurity.com. Agenda. Vulnerability Lifecycle When to Patch Decision Patch Management Process Example + ROI

muncel
Download Presentation

Expert’s guide for effective patch management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Expert’s guide for effective patch management Pete Lindstrom, CISSP Research Director Spire Security, LLC www.spiresecurity.com petelind@spiresecurity.com

  2. Agenda • Vulnerability Lifecycle • When to Patch Decision • Patch Management Process • Example + ROI • Key Criteria for Automated Patch Management

  3. Vulnerability Lifecycle • Vulnerability Created (latent) • Vulnerability Discovered • Vulnerability Disclosed • Patch Released • Exploit & Intrusions • Patches Applied

  4. Vulnerability Lifecycle safe zone exploit zone Can I mitigate? patch zone FOCUS HERE bigger is better smaller is better Time vulnerability created vulnerability disclosed patches applied vulnerability discovered patch released “responsible” disclosure less more

  5. Decision: When to Patch • Too soon may lead to failures caused by the cure. • Too late may lead to compromised systems. • The answer: Compare the costs of patching/not patching and patch when it is cheaper. • “Timing the Application of Security Patches for Optimal Uptime” – Beattie et.al. http://nxnw.org/~steve/papers/lisa2002-time-to-patch.pdf

  6. Decision Options Am I at risk? eliminate mitigate remediate Can I turn it off? Can I block it? Can I patch it?

  7. Timing

  8. Cost Elements • Cost to apply patches • Cost to recover from failed patches • Cost to recover from incidents and breaches

  9. Cost to Patch • IT time to identify, assess, test, apply, validate patches. • End user lost productivity. • Risk-adjusted cost of patch failure. • Patch + r(Recover)

  10. Cost to Not Patch • Lost productivity for the end user • Lost productivity for IT support personnel • Loss of revenue (direct) • Legal/regulatory costs • Intellectual property losses • Loss of stored assets (financial) …all risk adjusted

  11. Adjusting for Risk • Look at past history: • What % of systems hit in past? • What % of patches fail on what % of systems? • Guesstimate using reasonable numbers. • Use industry averages… oh, none exist.

  12. An Example • 2,000 Systems • $70/hr IT support • 1 hour to patch / 2 hours to recover • 10% likelihood of patch failure • 20% likelihood of compromise (pre-exploit)

  13. A Simple Example • Pre-exploit, manual patching • Cost to Patch: • 2,000 x 70 = $140,000 • Fail: 10% x 2,000 x 70 = $14,000 • Total cost: $154,000 • Cost not to Patch: • 2,000 x 140 x 20% = $56,000 • Decision: Don’t Patch

  14. A Simple Example (2) • Post-exploit, manual patching • Increases risk of compromise to 80% • Cost to Patch: • 2,000 x 70 = $140,000 • Fail: 10% x 2,000 x 70 = $14,000 • Total cost: $154,000 • Cost not to Patch: • 2,000 x 140 x 80% = $224,000 • Decision: Patch

  15. A Simple Example (3) • Pre-exploit, automated patching • Assume 1 patch per month • Cost to Patch: • Software Costs = $48,000 • 1/12 of $48k = $4,000 • Fail: 10% x 2,000 x 70 = $14,000 • Total cost: $18,000 • Cost not to Patch: • 2,000 x 140 x 20% = $56,000 • Decision: Patch

  16. A Simple Example - ROI • Compare two patch scenarios: • Manual process: $154,000 • Automated process: $18,000 • ROI: $136,000

  17. Patch Management Process • Identify – new patches. • Assess – applicability to environment. • Test – patches for need and interoperability. • Apply – patches to all appropriate systems. • Review – patch progress and history.

  18. Key Features – Automated Patch Mgt • Platform Coverage • Research Depth • Workflow • Controlled Rollout • Validation • Rollback

  19. Platform Coverage / Research • Operating Systems • Packaged Applications • Custom Applications • Vendor Information Pass-thru • Independent Analysis • Independent Testing

  20. Workflow • Task Assignments • Scheduling • Approval System • Connect to CRM

  21. Controlled Rollout • Group by system type or function • Queuing of patches • Bandwidth throttling • Store and forward

  22. Validation/Rollback • Progress report • Verify patch application • Rollback for patch failures • Final report and review

  23. Architecture • Communications • Agent/Agentless • Push/Pull • Hierarchies/Peers • Servers • administration

  24. Deployment Options • Scripts • Remote control solutions (Auto Update or internal) • Asset/Inventory solutions • Patch Management solutions

  25. Patch Management Solutions • Shavlik • Ecora • Patchlink • Bigfix • Altiris • GFILanguard http://www.ntbugtraq.com/patchresults.asp

  26. Microsoft Options • Windows Update • Microsoft Baseline Security Advisor (MBSA) • Software Update Services (SUS) • Systems Management Server (SMS) • Office Update • Microsoft Update/SUS 2.0

  27. Agree? Disagree? Pete Lindstrom petelind@spiresecurity.com www.spiresecurity.com

  28. For more information Thank you for joining us today. For more info on patch management, including an archive of this webcast and Pete’s presentation without audio, visit our Featured Topic: searchsecurity.com/featuredtopic/patchmanagement

More Related