Title: Criticality of Accurate Detection in the Automated Patch Management Process
1(No Transcript)
2Criticality of Accurate Detection in the
Automated Patch Management Process
Chris Andrew VP Product Management
3Agenda
- Hackers Turn Up the Heat
- What Is Automated Patch Detection?
- Accurate Patch Detection Exists
- Best Practices in Automated Patch Management
- Technology Demonstration
- Dealing with Real-World Challenges
- QA
4Hackers Turn Up the Heat
5Failed Windows XP Upgrade Downs 60,000 UK
Government PCs
- http//www.eweek.com/article2/0,1759,1732672,00.as
p By John Lettice/ The Register - special
to eWEEK.com - Most of the desktop computers in the UK's
Department for Work and Pensions were paralyzed
for four days on Monday, when a failed upgrade
took them offline. The outage, covering 75
percent to 80 percent of the DWP's 80,000 PCs, is
one of the largest in the UK government's not
entirely impressive IT history. And possibly one
of the most costly. According to staff reports,
the outage occurred on Monday afternoon,
disconnecting staff e-mail, benefits processing,
and Internet and intranet connectivity. According
to one, a limited network upgrade from Windows
2000 to Windows XP was taking place, but instead
of this taking place on only a small number of
the target machines, all the clients connected to
the network received a partial, but fatal,
"upgrade." - Another source says that the DWP was trialing
Windows XP on a small number ("about seven") of
machines. "EDS was going to apply a patch to
these. Unfortunately the request was made to
apply it live and it was rolled out across the
estate, which hit around 80 percent of the Win2K
desktops. This patch caused the desktops to BSOD
and made recovery rather tricky as they couldn't
boot to pick any further patches or recalls. I
gather that Microsoft Corp. consultants have
been flown in from the U.S. to clear up the
mess." EDS is also thought to be flying in fire
brigades. - If these claims are true, the DWP could face
grave difficulties in rolling all of its machines
back to their previous, working state. Staff from
Microsoft and EDS are reported to have been
working around the clock to dig the department
out of the pit, while speaking on the "Today"
program Friday morning, a spokeswoman amusingly
insisted that the department's systems had not in
fact fallen over. They were working it was
merely the case that "80 percent of desktop
computers are not connecting through to the
mainframe systems." - So that's cleared that up then. She added that
the emergency payments system was "working
perfectly." The emergency system appears to have
kicked in on Wednesday, and the department was
preparing a press release on the matter Thursday.
There was no sign of it when this story was
published. - Reports coming in on Friday however suggest that
at least some of the DWP's systems are coming
back online
6Current Climate in Vulnerability Management
Q Rate the relative risk of the following
Note Rating is on a scale of 1 5 where 1 is
not at all important and 5 is extremely
important Base 1,378 1,394 Data Secure
Enterprise Security Deployment Survey, October
2004
7Current Climate in Vulnerability Management
- The age of zero day exploits is upon us Only
worse - Slammer patch to exploit 6 months
- Welchia patch to exploit 26 days
- Sasser patch to exploit 11 Days
- ADODB stream exploit in the wild for weeks prior
to patch, months for effective patch - JPEG processor exploit ADODB stream exploit in
the wild for weeks prior to patch, months for
effective patch - NetDDE exploits are in the wild
- Many exploits are known for months before a patch
is available
8Worms vs. Viruses
9A Continuous Cycle of Infection
10Current Climate in Vulnerability Management
Most InfoSec Organizations are Overwhelmed
Base 1,395 Data Secure Enterprise Security
Deployment Survey, October 2004
11What is Automated Patch Detection?
12Patch Management Mitigating Risk
3D
PatchLinks Patch Vulnerability Approach
Detect
Deploy
Defend
Configuration Status Unauthorized Elements
Immediate Remediation Administrative Control
Continuously Monitor Automated Response
Professional Services
13Patch Management Market Drivers
- Increasing security incidents
- Steady growth from 2000 to 2003
- Increasing Patch Counts, Including Apps
- Microsoft has released roughly 1.38 patches per
week since January 2002, all products included - Incomplete Patch Deployments
- Over 90 of the security exploits are carried
out through vulnerabilities for which there are
known patches. - Poor Processes
- During a 6-12 month period, approximately 20 of
machines become unpatched - Not Addressed by Software Giants
- lt 5 of organizations have a satisfactory
automated patch management solution
Sources Microsoft and CERT Coordination Center
Data
14The Problem with Patching
- Key factors that create patching obstacles
- Limited time to satisfactorily test patches
inability to keep up with pace of current attacks - Complex, heterogeneous networks remote users
- Philosophical opposition to patching how often
- Lack of security practices standard
- No sense of urgency
- Think that firewalls anti-virus are enough
- Its the software companys problem
15Important Reminder
- Patch Management is NOT a task! It is an
ongoing, necessary vulnerability management
process that requires rigorous testing
continuous auditing to establish baseline
security policies. -
Most administrators unable to keep pace with the
barrage of security alerts coming out at the pace
of about one every two to three days.
Automation is the only effective solution.
David Tschanz, MCP Magazine, August 2003
16Accurate Patch Detection Existsthe Patch
Development Kit
17Introducing Patch Development Kit
18Rolling Your Own Remediation
- Every business runs something special
- In-house custom developed software
- Legacy applications
- Not generally used
- May need pre-release or private patches
- Microsoft early release and BETA software
- Specific pre-release fixes given by vendor(s)
- Company specific Anti-patches
- Get rid of stuff you DONT want! KaZaA, AV, MP3
- Now you can patch or uninstall anything
with PDK
19Types of Patches
- Detection Patch
- Name must start with Detect
- Establishes existence of a given product version
- Impact Critical
- Software / Hardware Patch
- Version specific patch, pre-requisite to detect
patch - Impact Critical through Informational
- Software Installation / Removal
- Indicate OS that it works on
- Impact Software
20The Pre-requisite Tree
Detect Windows 2000
Detect Service Pack 2
MSO2-020
MSO2-020
Detect Service Pack 3
MSO3-007
MSO3-026
MSO3-026
Detect WinZip
MSO3-007
Detect Office 2000
21What Info Is In A Patch
- Report Properties
- Basic information, vendor URLs, ID, hyperlinks
- Patch Signature(s)
- Registry fingerprint
- File fingerprint
- Patch Package(s)
- Content files and directories
- Package scripting
22Report Properties
- Title - Generic name
- Identifier - Vendor Q or id
- Release Date - Original vendor ship
- Hyperlink - URL for more info
- Vendor - Original Author
- Impact - Critical, Software, etc
- Status - Beta, Active, etc
- Description - 3000 character limit
23Patch Signature
- Signature uniquely Identifies ONE patch
- Usually requires multiple fingerprints
- May also pre-req a Detect signature
- File properties inspection or use a tool
- Registry information RegSpy or inspection
- BOOLEAN result
- TRUE gt computer has the patch
- One package per signature
- The fix for not having the patch
- Always one package per signature
24Patch Package
- Quickly Add Content
- Drag Drop from your desktop
- Move to a macro directory (eg TEMP)
- EXEs, Setup Program files, data, etc
- Scripting Options
- VBS most commonly used
- JavaScript
- Command Line
- Working Directory
- Place where the script or program is run from
25Sequence of Patch Delivery
- Pre-Script Executes
- Used to cleanup the target computer
- Rarely used by PatchLink
- All files downloaded via HTTP
- Files are copied to target location
- Command Line Executes
- Use if youre a BAT file aficionado
- Post-Script Executes
- Install the patch, prompt the user, etc.
26Patch Testing 101
- Build an Update Server for TESTING!
- Run just YOUR patch report
- DAGENT scan will be considerably faster
- Turn debugging ON at the agent
- See any / all errors in your signature(s)
- Test Detect XYZ first
- Needs to return TRUE/FALSE correctly!
- Validate your VBS script before using
- If it doesnt work at a cmd line
27Fingerprint Types
- File Information
- Most common fingerprint type
- Registry Information
- Windows only fingerprint
- System Information
- Patch Version
- Expression
- Used primarily with UNIX
28How to Fingerprint
- Determine your fingerprint using
- REGSPY
- SnapShot Utility
- Rational tools
- Vendor documentation
- Etc.
- Build a good basic OS image
- Quick and easy to recreate
- Always starting fresh again
29Recipe Card
- Determine fingerprint for detection patch
- Create your Detect Patch
- Verify Detect Patch operates correctly
- Hide the Detect Patch
- gt SAVE YOUR PATCH !!!
- Determine fingerprint for update patch
- Create your Patch, pre-req Detect Patch
- Test patched / not patched test
- gt SAVE YOUR PATCH !!!
- TEST, TEST . TEST AGAIN
30Common Pitfalls
- Win9X / WinNT differences
- Registry key differences
- File location differences
- Multiple Pre-requisites
- May need A and B or C
- Consider using an expression
- Didnt wait for detection to finish
- Strip out as many reports as possible!
31Detect WINZIP
32WinZIP Latest Version Patch
33CodeRed / NIMDA Patch Structure
34Export to File
35DEMO Defining Fingerprints
36DEMO Package Scripting
37Best Practices in Automated Patch Detection
Deployment
38Deploying Patches
- The CORRECT approach
- locate only the systems that need the patch
- test on the control group first
- then in limited production
- then roll out en-masse
- finally enforce using a policy
- When an emergency strikes, is it OK to push?
- avoid red tape when needed
- Reporting patch management
- audit all parts of the organization
- security team establishes quarterly baselines
- management team tracks to 100 patch completion
39Patch Management Process
40Centralized Approach
Server
- Simple one server design
- Cache acceleration
WAN
500 CACHE
EXISTING CACHE
500 CACHE
41Decentralized Approach
- One server at each site
- Reports pulled across sites
- Admin page links it all up
WAN
Server
Server
Server
42Critical Elements for Effective Patch Management
- Senior executive support
- Protecting infotech assets must be management
priority - Standardized patch management policies,
procedures, tools - Develop PM policies and use tools that meet
organizations infrastructure requirements - Dedicated resources clearly assigned
responsibilities to PM process - Current technology inventory
- Effective PM tools must be able to inventory all
aspects of IT infrastructure
43Critical Elements for Effective Patch Management
- Identification of relevant vulnerabilities
patches for all system inventory - Risk assessment
- When do I patch and how often?
- Costs associated with patching some systems
verses others - Testing
- Ensuring security patches dont crash complex,
enterprise systems - Distribution of patches to all users (incl.
remote) - Not patching certain systems can come back to
haunt you - Monitoring through network host vulnerability
scanning
44Recommended Best Practices
- Use an automated system for analyzing deploying
patches - Apply patches on an as needed basis
- Use a planned approach, grouping systems by
department, location, etc. - Patch across all operating systems
- Develop a solid change control process
- Thoroughly test all patches before deploying
- Match test lab production server configurations
- Plan for proactive, scheduled maintenance
45Automated Patch Technology Demonstration
46SCAN
FIX
Spyware?
Virus?
Zero-day?
Patch?
Policy?
ISOLATE
47(No Transcript)
48(No Transcript)
49(No Transcript)
50(No Transcript)
51Never drop Patches again!
- New layer of simplicity and automation
- Grouping of Computers
- Mandatory Patch Policies
- Hours of Operation
- Across multiple platforms
- Agent for Sun Solaris
- Agent for RedHat Linux
- Agent for Novell NetWare
52(No Transcript)
53(No Transcript)
54(No Transcript)
55 Proving you got the job done
- Export to CSV File
- Patched vs. Not Patched Report
- Baseline Compliance Report
- Inventory Audit Report
- Graphical Network Assessment
- Network assessment
- More trend graphs to follow
- Application Reporting interface
- Summary level reports from one server
- Pull data directly from SQL
56(No Transcript)
57Dealing with Real-World Challenges
58While You Were Sleeping
- WAKE ON LAN Solution
- Broadcast the magic packet over UDP
- Plug-in for product
- -OR-
- Magic Packet utility
- Wake one agent
- Wake an entire group
59Setting Policy Owner Automatically
- Automatically enroll computer(s) in a group
- By Name Mask
- By IP Address Range
- Etc
- Runs as a service on PLUS server
- Assign correct administrative owner
- Deploys all required baseline patches
60Reaching the Road Warriors
- FASTPATCH Solution
- Locate best distribution point that is available
- WINS Resolvable
- TRACERT Hop Count
- SCLIENT Distance in mSec
- Service or System Task
- Offers redundancy for WAN Distribution
61Auditing the Enterprise
- Pull patch reports across multiple PLUS servers
- Show enterprise wide compliance
- Customizable report headers, footers
- Pre-canned reports
- Extensible RAD project
- NASA solution for multiple space centers
62Establishing a Secure Enclave
63Zero Day Vulnerability No Patch
64 Building a Custom Patch
65Why PATCHLINK UPDATE?
- Works in all network configs complete
heterogeneous support. - Comprehensive point solution. Works in any type
of security architecture. Existing scanners, AV,
intrusion detection, other security apps
devices co-exist seamlessly. No need to change
the base security configuration. - Worms often recur in networks due to offline
obstacles. Will automatically and continuously
detect, deploy, and disinfect all machines in one
pass, whether online or offline.
66 Government
Financial
QA
Large Business
Education
Electronic copy of PPT Top40.doc
Thousands of Customers - Millions of nodes
protected worldwide!