670 likes | 904 Views
Criticality of Accurate Detection in the Automated Patch Management Process. Chris Andrew VP Product Management. Agenda. Hackers Turn Up the Heat What Is Automated Patch Detection? Accurate Patch Detection Exists Best Practices in Automated Patch Management
E N D
Criticality of Accurate Detection in the Automated Patch Management Process Chris Andrew VP Product Management
Agenda • Hackers Turn Up the Heat • What Is Automated Patch Detection? • Accurate Patch Detection Exists • Best Practices in Automated Patch Management • Technology Demonstration • Dealing with Real-World Challenges • Q&A
Failed Windows XP Upgrade Downs 60,000 UK Government PCs http://www.eweek.com/article2/0,1759,1732672,00.asp By John Lettice/ The Register - special to eWEEK.com Most of the desktop computers in the UK's Department for Work and Pensions were paralyzed for four days on Monday, when a failed upgrade took them offline. The outage, covering 75 percent to 80 percent of the DWP's 80,000 PCs, is one of the largest in the UK government's not entirely impressive IT history. And possibly one of the most costly. According to staff reports, the outage occurred on Monday afternoon, disconnecting staff e-mail, benefits processing, and Internet and intranet connectivity. According to one, a limited network upgrade from Windows 2000 to Windows XP was taking place, but instead of this taking place on only a small number of the target machines, all the clients connected to the network received a partial, but fatal, "upgrade." Another source says that the DWP was trialing Windows XP on a small number ("about seven") of machines. "EDS was going to apply a patch to these. Unfortunately the request was made to apply it live and it was rolled out across the estate, which hit around 80 percent of the Win2K desktops. This patch caused the desktops to BSOD and made recovery rather tricky as they couldn't boot to pick any further patches or recalls. I gather that [Microsoft Corp.] consultants have been flown in from the U.S. to clear up the mess." EDS is also thought to be flying in fire brigades. If these claims are true, the DWP could face grave difficulties in rolling all of its machines back to their previous, working state. Staff from Microsoft and EDS are reported to have been working around the clock to dig the department out of the pit, while speaking on the "Today" program Friday morning, a spokeswoman amusingly insisted that the department's systems had not in fact fallen over. They were working; it was merely the case that "80 percent of desktop computers are not connecting through to the mainframe systems." So that's cleared that up then. She added that the emergency payments system was "working perfectly." The emergency system appears to have kicked in on Wednesday, and the department was preparing a press release on the matter Thursday. There was no sign of it when this story was published. Reports coming in on Friday however suggest that at least some of the DWP's systems are coming back online
Current Climate in Vulnerability Management Q: Rate the relative risk of the following: Note: Rating is on a scale of 1 – 5 where 1 is “not at all important” and 5 is “extremely important Base = 1,378 – 1,394 Data: Secure Enterprise Security Deployment Survey, October 2004
Current Climate in Vulnerability Management • The age of zero day exploits is upon us… Only worse • Slammer patch to exploit 6 months • Welchia patch to exploit 26 days • Sasser patch to exploit 11 Days • ADODB stream exploit in the wild for weeks prior to patch, months for effective patch • JPEG processor exploit ADODB stream exploit in the wild for weeks prior to patch, months for effective patch • NetDDE exploits are in the wild • Many exploits are known for months before a patch is available
Current Climate in Vulnerability Management Most InfoSec Organizations are Overwhelmed Base = 1,395 Data: Secure Enterprise Security Deployment Survey, October 2004
Network-related Security Risks Lost Revenue Criminal/Statutory Fines/Penalties Service Level Legal Liability Shareholder/Customer Confidence Competition Enterprise Network Vulnerabilities Intrusion Incorrect / Unauthorized Configurations Reliability Unauthorized Services / Software / Content Patch Management – Mitigating Risk 3D PatchLink’s Patch & Vulnerability Approach: Detect Deploy Defend Configuration Status Unauthorized Elements Immediate Remediation Administrative Control Continuously Monitor Automated Response Professional Services
CERT Coordination Center Reported Incidents (in thousands) Patch Management Market Drivers • Increasing security “incidents” • Steady growth from 2000 to 2003 • Increasing Patch Counts, Including Apps • Microsoft has released roughly 1.38 patches per week since January 2002, all products included • Incomplete Patch Deployments • Over 90% of the security exploits are carried out through vulnerabilities for which there are known patches. • Poor Processes • During a 6-12 month period, approximately 20% of machines become “unpatched” • Not Addressed by Software Giants • < 5% of organizations have a “satisfactory automated patch management solution” Sources: Microsoft and CERT Coordination Center Data
The “Problem” with Patching Key factors that create patching obstacles: • Limited time to satisfactorily test patches & inability to keep up with pace of current attacks • Complex, heterogeneous networks & remote users • Philosophical opposition to patching & how often • Lack of security practices & standard • No sense of urgency • Think that firewalls & anti-virus are enough • “It’s the software company’s problem”
Important Reminder… Patch Management is NOT a task!It is an ongoing, necessary vulnerability management process that requires rigorous testing & continuous auditing to establish baseline security policies. • “Most administrators unable to keep pace with the barrage of security alerts coming out at the pace of about one every • two to three days.” • “Automation is the only effective solution.” • ~David Tschanz, MCP Magazine, August 2003
Rolling Your Own Remediation • Every business runs something special • In-house custom developed software • Legacy applications • Not generally used • May need pre-release or private patches • Microsoft early release and BETA software • Specific pre-release fixes given by vendor(s) • Company specific Anti-patches • Get rid of stuff you DON’T want! KaZaA, AV, MP3 Now you can patch or uninstall anything with PDK…
Types of Patches • Detection Patch • Name must start with “Detect …” • Establishes existence of a given product version • Impact = Critical • Software / Hardware Patch • Version specific patch, pre-requisite to detect patch • Impact = Critical through Informational • Software Installation / Removal • Indicate OS that it works on • Impact = Software
The Pre-requisite Tree Detect Windows 2000 Detect Service Pack 2 MSO2-020 MSO2-020 … Detect Service Pack 3 MSO3-007 MSO3-026 MSO3-026 DetectWinZip … MSO3-007 … Detect Office 2000
What Info Is In A Patch • Report Properties • Basic information, vendor URLs, ID, hyperlinks • Patch Signature(s) • Registry fingerprint • File fingerprint • Patch Package(s) • Content files and directories • Package scripting
Report Properties • Title - Generic name • Identifier - Vendor Q# or id • Release Date - Original vendor ship • Hyperlink - URL for more info • Vendor - Original Author • Impact - Critical, Software, etc • Status - Beta, Active, etc • Description - 3000 character limit
Patch Signature • Signature uniquely Identifies ONE patch • Usually requires multiple fingerprints • May also pre-req a “Detect” signature • File properties: inspection or use a tool • Registry information: RegSpy or inspection • BOOLEAN result • TRUE => computer has the patch • One package per signature • The “fix” for not having the patch • Always one package per signature
Patch Package • Quickly Add Content • Drag & Drop from your desktop • Move to a macro directory (eg: %TEMP%) • EXEs, Setup Program files, data, etc… • Scripting Options • VBS … most commonly used • JavaScript • Command Line • Working Directory • Place where the script or program is run from
Sequence of Patch Delivery • Pre-Script Executes • Used to cleanup the target computer • Rarely used by PatchLink • All files downloaded via HTTP • Files are copied to target location • Command Line Executes • Use if you’re a BAT file aficionado • Post-Script Executes • Install the patch, prompt the user, etc.
Patch Testing 101 • Build an Update Server for TESTING! • Run just YOUR patch report • DAGENT scan will be considerably faster • Turn debugging ON at the agent • See any / all errors in your signature(s) • Test Detect XYZ first • Needs to return TRUE/FALSE correctly! • Validate your VBS script before using • If it doesn’t work at a cmd line…
Fingerprint Types • File Information • Most common fingerprint type • Registry Information • Windows only fingerprint • System Information • Patch Version • Expression • Used primarily with UNIX
How to Fingerprint • Determine your fingerprint using: • REGSPY • SnapShot Utility • Rational tools • Vendor documentation • Etc. • Build a good basic OS image • Quick and easy to recreate • Always starting “fresh” again…
Recipe Card • Determine fingerprint for detection patch • Create your Detect Patch • Verify Detect Patch operates correctly • Hide the Detect Patch => SAVE YOUR PATCH !!! • Determine fingerprint for update patch • Create your Patch, pre-req Detect Patch • Test patched / not patched test => SAVE YOUR PATCH !!! TEST, TEST …. & TEST AGAIN
Common Pitfalls • Win9X / WinNT differences • Registry key differences • File location differences • Multiple Pre-requisites • May need A and B or C • Consider using an expression • Didn’t wait for detection to finish… • Strip out as many reports as possible!
Deploying Patches • The CORRECT approach… • locate only the systems that need the patch • test on the control group first • then in limited production • then roll out en-masse • finally enforce using a policy • When an emergency strikes, is it OK to push? • avoid red tape when needed • Reporting & patch management • audit all parts of the organization • security team establishes quarterly baselines • management team tracks to 100% patch completion
Rollout Monitor • Enforce/Validate • Subscriptions: • Vendors • Newsgroups • Web Searches • Vendor • Assoc • CERT/NIST etc. • Prelim Assess • Repeat: y times • Login • copy • Install • Reboot • Verify • Test • Support Research Pilot • Repeat: x times • Login • copy • Install • Reboot • Verify • Test • Investigate • Assess Impact • Dependencies • Identify Targets • H/W and S/W Requirements Plan Test • Schedule • Resources • Personnel • Develop Scripts • Develop Test Plan • Configure • Install • Test and Validate • Verify Requirements Patch Management Process
Centralized Approach Server • Simple one server design • Cache acceleration • Rancho Cordova, CA WAN $500 CACHE EXISTING CACHE $500 CACHE • London • Berlin • Alpharetta,GA
Decentralized Approach Server • One server at each site • Reports pulled across sites • Admin page links it all up… • Rancho Cordova, CA WAN Server Server Server • Berlin • London • Alpharetta,GA
Critical Elements for Effective Patch Management • Senior executive support • Protecting infotech assets must be management priority • Standardized patch management policies, procedures, & tools • Develop PM policies and use tools that meet organizations’ infrastructure requirements • Dedicated resources & clearly assigned responsibilities to PM process • Current technology inventory • Effective PM tools must be able to inventory all aspects of IT infrastructure
Critical Elements for Effective Patch Management • Identification of relevant vulnerabilities & patches for all system inventory • Risk assessment • When do I patch and how often? • Costs associated with patching some systems verses others • Testing • Ensuring security patches don’t crash complex, enterprise systems • Distribution of patches to all users (incl. remote) • Not patching certain systems can come back to haunt you • Monitoring through network & host vulnerability scanning
Recommended Best Practices • Use an automated system for analyzing & deploying patches • Apply patches on an “as needed” basis • Use a planned approach, grouping systems by department, location, etc. • Patch across all operating systems • Develop a solid change control process • Thoroughly test all patches before deploying • Match test lab & production server configurations • Plan for proactive, scheduled maintenance
SCAN FIX Spyware? Virus? Zero-day? Policy? Patch? ISOLATE