Criticality of Accurate Detection in the Automated Patch Management Process

1
(No Transcript)
2
Criticality of Accurate Detection in the
Automated Patch Management Process
Chris Andrew VP Product Management
3
Agenda

• Hackers Turn Up the Heat
• What Is Automated Patch Detection?
• Accurate Patch Detection Exists
• Best Practices in Automated Patch Management
• Technology Demonstration
• Dealing with Real-World Challenges
• QA

4
Hackers Turn Up the Heat
5
Failed Windows XP Upgrade Downs 60,000 UK
Government PCs

• http//www.eweek.com/article2/0,1759,1732672,00.as
  p By John Lettice/ The Register - special
  to eWEEK.com
• Most of the desktop computers in the UK's
  Department for Work and Pensions were paralyzed
  for four days on Monday, when a failed upgrade
  took them offline. The outage, covering 75
  percent to 80 percent of the DWP's 80,000 PCs, is
  one of the largest in the UK government's not
  entirely impressive IT history. And possibly one
  of the most costly. According to staff reports,
  the outage occurred on Monday afternoon,
  disconnecting staff e-mail, benefits processing,
  and Internet and intranet connectivity. According
  to one, a limited network upgrade from Windows
  2000 to Windows XP was taking place, but instead
  of this taking place on only a small number of
  the target machines, all the clients connected to
  the network received a partial, but fatal,
  "upgrade."
• Another source says that the DWP was trialing
  Windows XP on a small number ("about seven") of
  machines. "EDS was going to apply a patch to
  these. Unfortunately the request was made to
  apply it live and it was rolled out across the
  estate, which hit around 80 percent of the Win2K
  desktops. This patch caused the desktops to BSOD
  and made recovery rather tricky as they couldn't
  boot to pick any further patches or recalls. I
  gather that Microsoft Corp. consultants have
  been flown in from the U.S. to clear up the
  mess." EDS is also thought to be flying in fire
  brigades.
• If these claims are true, the DWP could face
  grave difficulties in rolling all of its machines
  back to their previous, working state. Staff from
  Microsoft and EDS are reported to have been
  working around the clock to dig the department
  out of the pit, while speaking on the "Today"
  program Friday morning, a spokeswoman amusingly
  insisted that the department's systems had not in
  fact fallen over. They were working it was
  merely the case that "80 percent of desktop
  computers are not connecting through to the
  mainframe systems."
• So that's cleared that up then. She added that
  the emergency payments system was "working
  perfectly." The emergency system appears to have
  kicked in on Wednesday, and the department was
  preparing a press release on the matter Thursday.
  There was no sign of it when this story was
  published.
• Reports coming in on Friday however suggest that
  at least some of the DWP's systems are coming
  back online

6
Current Climate in Vulnerability Management
Q Rate the relative risk of the following
Note Rating is on a scale of 1 5 where 1 is
not at all important and 5 is extremely
important Base 1,378 1,394 Data Secure
Enterprise Security Deployment Survey, October
2004
7
Current Climate in Vulnerability Management

• The age of zero day exploits is upon us Only
  worse
• Slammer patch to exploit 6 months
• Welchia patch to exploit 26 days
• Sasser patch to exploit 11 Days
• ADODB stream exploit in the wild for weeks prior
  to patch, months for effective patch
• JPEG processor exploit ADODB stream exploit in
  the wild for weeks prior to patch, months for
  effective patch
• NetDDE exploits are in the wild
• Many exploits are known for months before a patch
  is available

8
Worms vs. Viruses
9
A Continuous Cycle of Infection
10
Current Climate in Vulnerability Management
Most InfoSec Organizations are Overwhelmed
Base 1,395 Data Secure Enterprise Security
Deployment Survey, October 2004
11
What is Automated Patch Detection?
12
Patch Management Mitigating Risk
3D
PatchLinks Patch Vulnerability Approach
Detect
Deploy
Defend
Configuration Status Unauthorized Elements
Immediate Remediation Administrative Control
Continuously Monitor Automated Response
Professional Services
13
Patch Management Market Drivers

• Increasing security incidents
• Steady growth from 2000 to 2003
• Increasing Patch Counts, Including Apps
• Microsoft has released roughly 1.38 patches per
  week since January 2002, all products included
• Incomplete Patch Deployments
• Over 90 of the security exploits are carried
  out through vulnerabilities for which there are
  known patches.
• Poor Processes
• During a 6-12 month period, approximately 20 of
  machines become unpatched
• Not Addressed by Software Giants
• lt 5 of organizations have a satisfactory
  automated patch management solution

Sources Microsoft and CERT Coordination Center
Data
14
The Problem with Patching

• Key factors that create patching obstacles
• Limited time to satisfactorily test patches
  inability to keep up with pace of current attacks
• Complex, heterogeneous networks remote users
• Philosophical opposition to patching how often
• Lack of security practices standard
• No sense of urgency
• Think that firewalls anti-virus are enough
• Its the software companys problem

15
Important Reminder

• Patch Management is NOT a task! It is an
  ongoing, necessary vulnerability management
  process that requires rigorous testing
  continuous auditing to establish baseline
  security policies.

Most administrators unable to keep pace with the
barrage of security alerts coming out at the pace
of about one every two to three days.
Automation is the only effective solution.
David Tschanz, MCP Magazine, August 2003
16
Accurate Patch Detection Existsthe Patch
Development Kit
17
Introducing Patch Development Kit
18
Rolling Your Own Remediation

• Every business runs something special
• In-house custom developed software
• Legacy applications
• Not generally used
• May need pre-release or private patches
• Microsoft early release and BETA software
• Specific pre-release fixes given by vendor(s)
• Company specific Anti-patches
• Get rid of stuff you DONT want! KaZaA, AV, MP3
• Now you can patch or uninstall anything
  with PDK

19
Types of Patches

• Detection Patch
• Name must start with Detect
• Establishes existence of a given product version
• Impact Critical
• Software / Hardware Patch
• Version specific patch, pre-requisite to detect
  patch
• Impact Critical through Informational
• Software Installation / Removal
• Indicate OS that it works on
• Impact Software

20
The Pre-requisite Tree
Detect Windows 2000
Detect Service Pack 2
MSO2-020
MSO2-020

Detect Service Pack 3
MSO3-007
MSO3-026
MSO3-026
Detect WinZip

MSO3-007

Detect Office 2000
21
What Info Is In A Patch

• Report Properties
• Basic information, vendor URLs, ID, hyperlinks
• Patch Signature(s)
• Registry fingerprint
• File fingerprint
• Patch Package(s)
• Content files and directories
• Package scripting

22
Report Properties

• Title - Generic name
• Identifier - Vendor Q or id
• Release Date - Original vendor ship
• Hyperlink - URL for more info
• Vendor - Original Author
• Impact - Critical, Software, etc
• Status - Beta, Active, etc
• Description - 3000 character limit

23
Patch Signature

• Signature uniquely Identifies ONE patch
• Usually requires multiple fingerprints
• May also pre-req a Detect signature
• File properties inspection or use a tool
• Registry information RegSpy or inspection
• BOOLEAN result
• TRUE gt computer has the patch
• One package per signature
• The fix for not having the patch
• Always one package per signature

24
Patch Package

• Quickly Add Content
• Drag Drop from your desktop
• Move to a macro directory (eg TEMP)
• EXEs, Setup Program files, data, etc
• Scripting Options
• VBS most commonly used
• JavaScript
• Command Line
• Working Directory
• Place where the script or program is run from

25
Sequence of Patch Delivery

• Pre-Script Executes
• Used to cleanup the target computer
• Rarely used by PatchLink
• All files downloaded via HTTP
• Files are copied to target location 
• Command Line Executes
• Use if youre a BAT file aficionado
• Post-Script Executes
• Install the patch, prompt the user, etc.

26
Patch Testing 101

• Build an Update Server for TESTING!
• Run just YOUR patch report
• DAGENT scan will be considerably faster
• Turn debugging ON at the agent
• See any / all errors in your signature(s)
• Test Detect XYZ first
• Needs to return TRUE/FALSE correctly!
• Validate your VBS script before using
• If it doesnt work at a cmd line

27
Fingerprint Types

• File Information
• Most common fingerprint type
• Registry Information
• Windows only fingerprint
• System Information
• Patch Version
• Expression
• Used primarily with UNIX

28
How to Fingerprint

• Determine your fingerprint using
• REGSPY
• SnapShot Utility
• Rational tools
• Vendor documentation
• Etc.
• Build a good basic OS image
• Quick and easy to recreate
• Always starting fresh again

29
Recipe Card

• Determine fingerprint for detection patch
• Create your Detect Patch
• Verify Detect Patch operates correctly
• Hide the Detect Patch
• gt SAVE YOUR PATCH !!!
• Determine fingerprint for update patch
• Create your Patch, pre-req Detect Patch
• Test patched / not patched test
• gt SAVE YOUR PATCH !!!
• TEST, TEST . TEST AGAIN

30
Common Pitfalls

• Win9X / WinNT differences
• Registry key differences
• File location differences
• Multiple Pre-requisites
• May need A and B or C
• Consider using an expression
• Didnt wait for detection to finish
• Strip out as many reports as possible!

31
Detect WINZIP
32
WinZIP Latest Version Patch
33
CodeRed / NIMDA Patch Structure
34
Export to File
35
DEMO Defining Fingerprints
36
DEMO Package Scripting
37
Best Practices in Automated Patch Detection
Deployment
38
Deploying Patches

• The CORRECT approach
• locate only the systems that need the patch
• test on the control group first
• then in limited production
• then roll out en-masse
• finally enforce using a policy
• When an emergency strikes, is it OK to push?
• avoid red tape when needed
• Reporting patch management
• audit all parts of the organization
• security team establishes quarterly baselines
• management team tracks to 100 patch completion

39
Patch Management Process
40
Centralized Approach
Server

• Simple one server design
• Cache acceleration

• Rancho Cordova, CA

WAN
500 CACHE
EXISTING CACHE
500 CACHE

• London

• Berlin

• Alpharetta,GA

41
Decentralized Approach

• Server

• One server at each site
• Reports pulled across sites
• Admin page links it all up

• Rancho Cordova, CA

WAN
Server
Server
Server

• Berlin

• London

• Alpharetta,GA

42
Critical Elements for Effective Patch Management

• Senior executive support
• Protecting infotech assets must be management
  priority
• Standardized patch management policies,
  procedures, tools
• Develop PM policies and use tools that meet
  organizations infrastructure requirements
• Dedicated resources clearly assigned
  responsibilities to PM process
• Current technology inventory
• Effective PM tools must be able to inventory all
  aspects of IT infrastructure

43
Critical Elements for Effective Patch Management

• Identification of relevant vulnerabilities
  patches for all system inventory
• Risk assessment
• When do I patch and how often?
• Costs associated with patching some systems
  verses others
• Testing
• Ensuring security patches dont crash complex,
  enterprise systems
• Distribution of patches to all users (incl.
  remote)
• Not patching certain systems can come back to
  haunt you
• Monitoring through network host vulnerability
  scanning

44
Recommended Best Practices

• Use an automated system for analyzing deploying
  patches
• Apply patches on an as needed basis
• Use a planned approach, grouping systems by
  department, location, etc.
• Patch across all operating systems
• Develop a solid change control process
• Thoroughly test all patches before deploying
• Match test lab production server configurations
• Plan for proactive, scheduled maintenance

45
Automated Patch Technology Demonstration
46
SCAN
FIX
Spyware?
Virus?
Zero-day?
Patch?
Policy?
ISOLATE
47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
Never drop Patches again!

• New layer of simplicity and automation
• Grouping of Computers
• Mandatory Patch Policies
• Hours of Operation
• Across multiple platforms
• Agent for Sun Solaris
• Agent for RedHat Linux
• Agent for Novell NetWare

52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55

Proving you got the job done

• Export to CSV File
• Patched vs. Not Patched Report
• Baseline Compliance Report
• Inventory Audit Report
• Graphical Network Assessment
• Network assessment
• More trend graphs to follow
• Application Reporting interface
• Summary level reports from one server
• Pull data directly from SQL

56
(No Transcript)
57
Dealing with Real-World Challenges
58
While You Were Sleeping

• WAKE ON LAN Solution
• Broadcast the magic packet over UDP
• Plug-in for product
• -OR-
• Magic Packet utility
• Wake one agent
• Wake an entire group

59
Setting Policy Owner Automatically

• Automatically enroll computer(s) in a group
• By Name Mask
• By IP Address Range
• Etc
• Runs as a service on PLUS server
• Assign correct administrative owner
• Deploys all required baseline patches

60
Reaching the Road Warriors

• FASTPATCH Solution
• Locate best distribution point that is available
• WINS Resolvable
• TRACERT Hop Count
• SCLIENT Distance in mSec
• Service or System Task
• Offers redundancy for WAN Distribution

61
Auditing the Enterprise

• Pull patch reports across multiple PLUS servers
• Show enterprise wide compliance
• Customizable report headers, footers
• Pre-canned reports
• Extensible RAD project
• NASA solution for multiple space centers

62
Establishing a Secure Enclave
63
Zero Day Vulnerability No Patch
64
Building a Custom Patch
65
Why PATCHLINK UPDATE?

1. Works in all network configs complete
   heterogeneous support.
2. Comprehensive point solution. Works in any type
   of security architecture. Existing scanners, AV,
   intrusion detection, other security apps
   devices co-exist seamlessly. No need to change
   the base security configuration.
3. Worms often recur in networks due to offline
   obstacles. Will automatically and continuously
   detect, deploy, and disinfect all machines in one
   pass, whether online or offline.

66

Government

Financial
QA

Large Business

Education

Electronic copy of PPT Top40.doc
Thousands of Customers - Millions of nodes
protected worldwide!