1 secure your business patch management strategy
TRANSCRIPT
1
Secure Your BusinessSecure Your Business
PATCH MANAGEMENT STRATEGY
Sec
ure
Yo
ur
Bu
sin
ess
A risk based approach is key
R isk Id entifica tion
R isk Es tim ation
R isk Analysis
R isk evaluation
Risk Assessment
R isk Avoidance
R isk O ptim isation
R isk Transfer
R isk R etention
Risk Treatment
Risk Acceptance
Risk Communication
Risk Monitoring
Threat Probability Impact
1 H H
2 L L
3 H H
4 M M
5 M H
Probability
H1 3
M 4 5
L 2
L M H Impact
Risk Treatment Treatment Treatment Treatment Treatment
x 1 2 3 4 n
EURO
T 1 T 2 T 3 T 4 T n Treatment
Sec
ure
Yo
ur
Bu
sin
ess
Some sources of risk> Sources of risk were patch management could be an important building
block to reduce them:
> OS vulnerabilities
> Complex viruses/worms
> Exploits
> Spam
> Spyware
> Blended threats such as Nimda, Goner, SQL Slammer and Code Red have become increasingly more common
> Perimeter Defences such as firewalls are not enough to ward off these increasingly sophisticated threats
Sec
ure
Yo
ur
Bu
sin
ess
Patch management: 4 steps
> Based on Microsoft Operations Framework (MOF)
> 4 phases defined:
> ASSES
> IDENTIFY
> EVALUATE and PLAN
> DEPLOY
Sec
ure
Yo
ur
Bu
sin
ess
Step 1: Assess
> Know your computing environment
> OS, Service Pack, HotFix, and Patch levels
> Installed hardware (servers, desktops, laptops)
> End-user experience and knowledge
> IT staff abilities and knowledge
> Determine:
> What you have in your production environment
> What security threats and vulnerabilities you might face
> Whether your organization is prepared to respond to new software
updates
> Other MOF-Service Management Functions can interact
Sec
ure
Yo
ur
Bu
sin
ess
Step 1: Assess: an Ongoing Process
> Inventory/discover existing computing assets
> Assess security threats and vulnerabilities
> Determine the best source for information about new software updates
> Assess the existing software distribution infrastructure
> Assess operational effectiveness
Sec
ure
Yo
ur
Bu
sin
ess
Step 1: Assess (cont’d)
> Assess security threats and vulnerabilities
> Apply bulletin information to inventory
> Determine the best source for information about new software
updates
> Use notification services to prepare for patch release
> Preparation begins long before Patch Day
> Assess the existing software distribution infrastructure
> Keep a record of past experiences/success rates
> Assess operational effectiveness
> Are there steps that need to be improved?
> Were there factors that led to failure/that led to success?
Sec
ure
Yo
ur
Bu
sin
ess
Step 2: Identify
> Goals:
> Discover new software updates in a reliable way
> Determine whether they are relevant to your production environment
> Determine whether an update represents a normal or emergency
change
> Determine the applicability of a software update to your IT
infrastructure:
> Reading security bulletins and KB articles
> Reviewing the individual software updates
> Determine the applicability of a software update to your IT
infrastructure
Sec
ure
Yo
ur
Bu
sin
ess
Step 2: Identify
> Decide When to Apply the Software Update
> Low, Medium, Important, Critical?
> Exploited in the wild?
> Applies to the production environment?
> Testing
> Confirm source files
> Deployability
> Installation options
Sec
ure
Yo
ur
Bu
sin
ess
Step 3: Evaluate and Plan
> Goals:
> Make a go/no-go decision to deploy the software update
> Determine what is needed to deploy it
> Test the software update in a production-like environment to confirm
that it does not compromise business critical systems and applications
> Goals:
> Get approval for deployment
> Pass to deployment team
Sec
ure
Yo
ur
Bu
sin
ess
Step 3: Evaluate and Plan
> Determine the appropriate response
> Categorize software deployment
Sec
ure
Yo
ur
Bu
sin
ess
Step 3: Evaluate and Plan> Plan the release of the software update
> Determine what needs to be patched
> Identify the key issues and constraints
> Build the release plan
> Emergency change request
> Build the release
> SMS 2003 package creation
> The Distribute Software Updates Wizard eliminates much of the work that would traditionally be required to deploy a software update using SMS 2003
> Conduct acceptance testing of the release
…
Sec
ure
Yo
ur
Bu
sin
ess
Step 3: Evaluate and Plan:> Conduct acceptance testing of the release
> Once installation is complete, the computer should reboot as it is designed to.
> Software update works across slow/unreliable connections.
> Software update is supplied with an uninstall routine -- and it works!
> Business-critical systems and services continue to run once the software update has been installed.
Sec
ure
Yo
ur
Bu
sin
ess
Step 4: Deploy
> Goals
> Successfully roll out the approved software update into your
production environment
> Meet all of the requirements of any deployment service level
agreements (SLAs) you have in place
Sec
ure
Yo
ur
Bu
sin
ess
Step 4: deploy overview
> Deployment preparation
> Communicating rollout schedule to the organization
> Importing programs and advertisements from test environment
> Assigning distribution points
> Staging updates on distribution points
> Selecting deployment groups
Sec
ure
Yo
ur
Bu
sin
ess
Step 4: Deploy: post implementation> Post-Implementation Review
> Ensure that the vulnerabilities are added to your vulnerability scanning reports and security policy standards so the attack does not have an opportunity to recur
> Ensure that your build images have been updated to include the latest software updates following the deployment
> Discuss planned versus actual results and discuss the risks associated with the release
> Review your organization’s performance throughout the incident. Improve your response plan and include lessons learned.
> Discuss changes to your service windows.
> Assess the total incident damage and cost—both downtime costs and recovery costs.
Sec
ure
Yo
ur
Bu
sin
ess
More information?http://www.telindus.be/Products+and+Services/Security/
http://www.microsoft.com/MOF
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
20
Thank you for your attention
[email protected]@TELINDUS.BE
HTTP://WWW.TELINDUS.BE HTTP://WWW.TELINDUS.BE