stopping the adobe, apple and java software updater insanity
DESCRIPTION
This presentation by Randy Franklin Smith from Ultimate Windows Security reviews, “Stopping the Adobe, Apple and Java Software Updater Insanity”. He shares tips and caveats for dealing with the most common software updaters from Adobe, Apple and Oracle. But the bottom line is that we all need centralized patch management and he’ll explore the important requirements and architectural issues you should be aware of in this space.TRANSCRIPT
Stopping the Adobe, Apple and Java Software
Updater Insanity
© 2012 Monterey Technology Group Inc.
Brought to you by
Speaker Russ Ernst – Group Product Manager
www.lumension.com
Preview of Key Points
© 2012 Monterey Technology Group Inc.
TrendsStatisticsUpdater problemsCentralized, multi-vendor patch management
Poll
© 2012 Monterey Technology Group Inc.
Which 3rd party vendor tool causes the most trouble in your environment?
Trends
© 2012 Monterey Technology Group Inc.
The risk is in the endpointThe endpoint is the most vulnerableAll endpoints are important – not just high value employees
Trends
© 2012 Monterey Technology Group Inc.
The risk is in the endpointAttackers are focusing on the endpoint
• Duqu• Flame• Stuxnet• RSA• Spearfishing
Trends
© 2012 Monterey Technology Group Inc.
The risk is in the endpointAttackers have the strongest motivators of all
• Politics Asian state sponsored IP Economic data Defense
• Religion• Money
Primarily Eastern Europe Looking for very specific data that can be monetized Once acquired, they’re done
Statistics
© 2012 Monterey Technology Group Inc.
MS Patches compared to Non-MS
Microsoft; 32
Other; 87
Acrobat; 9
Flash; 11Shockwave; 4Java; 5
Ap-ple; 8
Firefox; 50
Trends
© 2012 Monterey Technology Group Inc.
The risk is in the endpointTargeted attacks makes it harder for AV vendors to protect you
Patch speed is increasingly important• Zero day exploits
But that’s hard when you have patches from many vendors and no centralized way to control them
Non-MS Patching
© 2012 Monterey Technology Group Inc.
Each product (not even each vendor) has its own updater
No centralized controlAre updaters installed?Do employees remove or disable them?Do employees allow them to complete?Are patches failing?How up-to-date are patches across the fleet?
Non-MS Patching
© 2012 Monterey Technology Group Inc.
Performance issuesEvery PC downloading updates at the same time
Other issuesOther unwanted software installed
• Ask and Google toolbars
Silent updatesJava
Need I say more?
Non-MS Patching
© 2012 Monterey Technology Group Inc.
How many updaters?Updater for Adobe AirUpdater for Adobe Flash PlayerUpdater for Adobe Reader/AcrobatUpdater for Adobe Shockwave PlayerUpdater for Apple iTunesUpdater for Apple QuickTimeUpdater for Oracle JavaUpdater for Mozilla FirefoxHardware updaters
• Laptop• Mouse• Video
Another development
© 2012 Monterey Technology Group Inc.
Microsoft’s auto-update infrastructure has been compromised already?
How hard would it be to compromise someone elses?
Other facts
© 2012 Monterey Technology Group Inc.
Patches often need to be chainedNot cumulative
Bottom Line
© 2012 Monterey Technology Group Inc.
Need in-house controlled patchingCentralizedMulti-vendorMulti-platform
Tips for the meantime
© 2012 Monterey Technology Group Inc.
Patches may need to be chainedSubscribe to multi-vendor patch update
serviceshttp://leic.lumension.com/
Make sure you know what’s on your networkFree: Lumension Application Scanner Tool
Tips for the meantime
© 2012 Monterey Technology Group Inc.
Familiarize yourself with each vendor/product Update site/blog How they notify; subscribe How their patches usually work Develop a plan for each product that needs regular patching
• Evaluate risk and exposure• Determine testing if any
Some patches can be pushed out If not then you have to hope for the best
• That updater on each PC is doing its job
Follow up with vulnerability scans• Do vulnerability scanners find this?• Free: Lumension Vulnerability Scanner
Bottom Line
© 2012 Monterey Technology Group Inc.
Need in-house controlled patchingCentralizedMulti-vendorMulti-platform
Brought to you by
Speaker Russ Ernst – Group Product Manager
www.lumension.com
•Lumension Endpoint Management and Security Suite is an extensible solution suite that reduces complexity, optimizes TCO, improves visibility and delivers control back to IT.
Streamline Patch Management Across Your Environment
» Reduces Complexity and TCO through effective automation of operational tasks
» Provides Greater Visibility and Into Control Over your network’s endpoints
» Improves Operational Efficiency with a single console to manage multiple functions
» Elevates Security and Compliance Posture through automatic policy enforcement
20
Patch is Core Component of Defense-in-Depth
BlacklistingAs The Core
Zero Day
3rd Party Application
Risk
MalwareAs a
Service
Consumerizationof IT
Defense-N-Depth
Traditional Endpoint Security
Patch & Configuration
Mgmt.
Emerging Endpoint Security Stack
21
SecuritySCAPE 2012: Virtual Event 9/25-9/26/12
22
Register for this FREE virtual event!
»http://www.securityscape2012.com